Share via

Installed new Certificate but SMTP uses the old one.

Johan Valstar 11 Reputation points
2026-02-24T12:12:04.8533333+00:00

All,

I have installed a new certificate, IIS uses the right one and in Exchange also assign the IMAP,POP and SMTP to the new certificate.

The creation of the DANE TLSA record went wrong due to the fact that the old certificate is used because it is still valid (end 20 March 2026).

I check the TLSA record on: https://www.huque.com/bin/danecheck-smtp

There I save that the old certificate is being used.

User's image

The new certificate is valid from 23-02-2026 to 15-03-2027

User's image

The Thumprint starting with A42C8 is the newest while the older (used) certificate starting with 5522B.

How can I correct this?

Exchange | Exchange Server | Management
Exchange | Exchange Server | Management

The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.

0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Johan Valstar 11 Reputation points
    2026-02-24T22:23:23.4733333+00:00

    Problem solved by executing the command below:

    set-ReceiveConnector "Default Frontend DUIFSRV01" -TlsCertificateName $null

    I saw tha when sending an e-mail it used the right certificate. Executed the following command:

    Get-ReceiveConnector |fl Name,Bindings, TlsCertificateName

    There I saw that the TlsCertificateName was empty, so I make the receive connector also empty and that solved the issue.

    0 comments
  2. Johan Valstar 11 Reputation points
    2026-02-24T21:24:31.2466667+00:00

    I installed a new Certificate and assigned it to SMTP, but I see that it uses an old certificate which will expire on 20th of March 2026.

    I removed the old one and the smtp server does not support STARTTLS anymore because of the missing Certificate.

    After that installed another Certificate and assigned it to SMTP but still not working. Restarted IIS and Transport Services.

    I reinstallled the old certificate and the STARTTLS worked again.

    It looks like that the SMTP certificated is connected is always connected to the old certificate. Installing a new one doesn't solve the problem.

  3. Johan Valstar 11 Reputation points
    2026-02-24T12:59:49.9166667+00:00

    It uses the same fqdn, I have restarted IIS and transport services as well and also the complete server.

    In the SMTP Protocol logs it is also seen that the old certificate is used.

    The day before yesterday, I removed the old certificate and from that moment STARTTLS did not worked anymore and I needed to restore the PC from backup.

    In the previous years, I assigned the new certificate to the SMTP server and that worked, I did the same now as well and it did'nt worked.

    0 comments
  4. Andy David - MVP 159.9K Reputation points MVP Volunteer Moderator
    2026-02-24T12:18:11.5733333+00:00

    Does your internet inbound connector have a different FQDN than the new cert?

    Have you restarted the transport service after enabling the new cert?

    If the new cert is being used generally ( verify with SMTP protocol logs), then why not just remove the old cert?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.