When certificates needs to be renewed or changed on (on-premise) Exchange server\u2019s, and you have Microsoft 365 hybrid setup though Hybrid Configuration Wizard, a Office 365 connecter is setup as send and receive:<\/p>\n\n\n\n
Receive:
Default Frontend xxxx\/EXCH01 <\/p>\n\n\n\n
Send:
\nOutbound to Office 365
\nxxxxx send connector<\/p>\n\n\n\n
If you try to delete the old certificate, without setting the new cert for the connectors, you will get this in ECP: So we need to move into Powershell and replace it, because it cannot be done through the ECP: \nGet the thumprint for the new cert:\n\n<\/p>\n\n\n\n So here it is, the top level cert, it\u2019s a wildcard cert, thus the \u201c*.\u201d in the subject name, sorry for the maskings, this is from a non-lab environment <\/p>\n\n\n\n Copy the thumprint to notepad for next command.<\/p>\n\n\n\n Read the certificate subject and thumprint into a variable: The replace the connectors:<\/p>\n\n\n\n Send Connector \u2013<\/p>\n\n\n\n Receive Connector \u2013<\/p>\n\n\n\n Note: replace the word \u201cEXCH01\u201d with the name of your Exchangeserver like “MY-EXCH01\\Default Frontend MY-EXCH01”<\/p>\n\n\n\n Run IISRESET<\/p>\n\n\n\n This is because the old and new certificate have the same \u201cissuer\u201d and \u201csubject\u201d, the set-sendconnector and set-receiveconenctor, cannot thereforem tell the difference, but solution is easy:<\/p>\n\n\n\n Just add another cert on the servers thumbprint to the first script, then run all commands throgh, after that, do the same again, but now with the real cert\u2019s thumprint, and it works ?<\/p>\n\n\n\n Note that if you fail to replace your certificate before it expires (You forgot to), your mailflow between on-prem Excahnge and Exchange Online (365) will stop working and you will see this in the logs:<\/p>\n\n\n\n [Message=451 5.7.3 STARTTLS is required to send mail]<\/p>\n\n\n\n source links:<\/p>\n\n\n\n https:\/\/martinsblog.dk\/exchange-replacing-certificate-for-microsoft-365-hybrid-connectors\/ When certificates needs to be renewed or changed on (on-premise) Exchange server\u2019s, and you have Microsoft 365 hybrid setup though Hybrid Configuration Wizard, a Office 365 connecter is setup as send and receive: Receive: Default Frontend xxxx\/EXCH01 Send: Outbound to Office 365 xxxxx send connector If you try to delete the old certificate, without setting […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,22,208,155],"tags":[],"class_list":["post-2502","post","type-post","status-publish","format-standard","hentry","category-exchange","category-microsoft","category-office365","category-ssl","author-admin"],"_links":{"self":[{"href":"https:\/\/galhano.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/galhano.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/galhano.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/galhano.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/galhano.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2502"}],"version-history":[{"count":2,"href":"https:\/\/galhano.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2502\/revisions"}],"predecessor-version":[{"id":2504,"href":"https:\/\/galhano.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2502\/revisions\/2504"}],"wp:attachment":[{"href":"https:\/\/galhano.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/galhano.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/galhano.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u201cA special Rpc error occurs on server EXCH01: These certificates are tagged with following Send Connectors : Outbound to Office 365. Removing and replacing certificates from Send Connector would break the mail flow. If you still want to proceed then replace or remove these certificates from Send Connector and then try this command.\u201d<\/em><\/p>\n\n\n\n
<\/p>\n\n\n\nGet-ExchangeCertificate<\/pre>\n\n\n\n
<\/p>\n\n\n\n$cert = Get-ExchangeCertificate -Thumbprint <paste the thumbprint in here from previous command>\n\n$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)" - Do not change anything here!<\/code><\/pre>\n\n\n\nSet-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename<\/code><\/pre>\n\n\n\nSet-ReceiveConnector "EXCH01\\Default Frontend EXCH01" -TlsCertificateName $tlscertificatename<\/code><\/pre>\n\n\n\n
https:\/\/martinsblog.dk\/exchange-an-error-occurred-while-using-ssl-configuration-for-endpoint-0-0-0-0444\/
https:\/\/www.azure365pro.com\/replacing-send-connector-certificate\/<\/p>\n","protected":false},"excerpt":{"rendered":"