SSL Certificate/ Exchange Server 2019

Hi @NealSignh,

Welcome to Microsoft Q&A, and thank you for reaching out to us.

From your description, it seems that when you run an OpenSSL test and review the logs, the certificate presented by the Exchange server during the TLS handshake appears to be a self-signed certificate, even though a trusted SSL certificate is already installed. Please correct me if I’ve misunderstood your scenario.

As a Microsoft Q&A moderator, I don’t have access to your organization’s configuration, but I’ll do my best to assist you with guidance based on official documentation and research.

Based on my research, this behavior is generally expected when the third-party certificate is not properly associated with the required Exchange services (such as IIS or SMTP), or when the default self-signed certificate remains active for those services. After installing or importing a CA-issued certificate, you must enable it for the Exchange services you intend to use. Otherwise, the self-signed certificate will continue to be presented.

To mitigate this, you could import the certificate on your Exchange Server by following this Microsoft article. After that, run the command below to confirm the certificate is installed and valid:

Get-ExchangeCertificate | Where-Object {$_.Status -eq "Valid"} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter

Once verified, assign the certificate to the required Exchange services using the following command:

Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services <Service1>,<Service2>...

Additionally, I found a third-party article that discusses a similar issue. Feel free to review it and see if it helps resolve your problem.

Note: Microsoft is providing this information as a convenience to you. These sites are not controlled by Microsoft, and Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please ensure that you fully understand the risks before using any suggestions from the above link.

Thank you for your time. If you have any additional questions or need further clarification, feel free to let me know. I’ll be happy to assist you further.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".     

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

You may be seeing the self signed cert for message transfer between Exchange Servers as that is expected and the SMTP conversations between Exch itself on port 25 uses the self signed Exch Cert.

If you have a 3rd party cert installed and configured for client access, then you should only be using that assuming its installed correctly.

Can you elaborate where you are seeing the self signed cert being used?

Ok, ensure then that the correct certificate is bound to SMTP and you have a connector on the Exchange side with a FQDN that matches a subject name on that cert.

https://free.blessedness.top/en-us/exchange/mail-flow/connectors/custom-receive-connectors#scenario-2-receive-email-from-a-partner

go to the Mail flow > Receive connectors section in the Exchange Admin Center (EAC). Select the connector you want to modify, click Edit, and then go to the Scoping tab. Enter your custom FQDN in the FQDN field and click Save.