Share via

Exchange SE Certificate won’t bind to SMTP

Thomas Waschkies 0 Reputation points
2025-10-01T21:08:33.49+00:00

Hi,

I’m setting up a new Exchange Server SE in a hybrid environment and ran into an issue with certificates.

Situation

On the old server, there is an internal CA certificate (Thumbprint AAAA…) that is still enabled for SMTP.

On the new server, I imported a public Sectigo certificate (Thumbprint BBBB…). The certificate looks fine – it has both Server Authentication and Client Authentication in the EKU.

When I check with Get-ExchangeCertificate, the services show IIS, IMAP, POP – but no SMTP.

Problem

Running

Enable-ExchangeCertificate -Thumbprint BBBB… -Services SMTP,IIS,IMAP,POP

does not add SMTP. It stays missing.

I read that Exchange only allows one SMTP certificate per server. Could the fact that the old certificate is still bound to SMTP on the old server prevent the new one from binding on the new server?

Questions

  1. Do I need to unbind the old certificate from SMTP on the old server before I can enable the new one for SMTP on the new server?
  2. Does Exchange SE have stricter requirements compared to Exchange 2016 (e.g. EKU checks, private key permissions)?
  3. Is this the correct migration approach:
    1. Remove SMTP binding from the old cert on the old server
      1. Enable SMTP for the new cert on the new server
        1. Update Send/Receive connectors to use the new cert

Thanks for your advice!

Exchange | Exchange Server | Management
Exchange | Exchange Server | Management
The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jade-T 6,915 Reputation points Microsoft External Staff Moderator
    2025-10-02T02:48:53.2+00:00

    Hi @Thomas Waschkies

    Thank you for posting your question in the Q&A Forum. 

    I understand how this can be confusing during a certificate migration. As a forum moderator, I’m here to offer guidance and point you toward reliable resources. While I don’t have access to perform operations on your system, I can share some information that may help you understand the situation and the typical steps used in similar scenarios. 

    Each Exchange server manages its own certificates independently. That means a certificate bound to SMTP on your old server does not prevent you from enabling a new certificate for SMTP on your new server. However, Exchange only allows one certificate per server to be enabled for SMTP at a time. 

    If SMTP doesn’t appear when enabling your new certificate, it usually means another certificate on the same server (often the default self-signed one) is already holding the binding, or that the certificate’s private key permissions or properties need to be reviewed. In many cases, administrators first review which certificate currently holds the SMTP binding and then reassigns that role to the new public certificate. 

    The migration steps you outlined, importing and enabling the new certificate, assigning it to the required services including SMTP, updating Send/Receive connectors, and retiring the old certificate once everything is verified are consistent with Microsoft’s recommended approach. 

    For step‑by‑step guidance and best practices, Microsoft provides helpful documentation: 

    Please note this is general guidance based on Microsoft documentation. If the issue continues, your IT team or Microsoft Support may be able to provide further assistance. 

    I hope this explanation clarifies why the issue occurs and gives you a clear path forward. 

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".    

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. 

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.