As Exchange/IT Admins, updating an SSL certificate is easily achieved using the Exchange Management Shell (EMS) and normally assigning the services to the new SSL certificate and performing an IISRESET, everything carries on working, however if you have updated your Send and/or Receive Connectors to use a TLS certificate name, this will give you a few errors from partner domains that are either relaying mail through you or something specific is assigned to the connectors.

The errors you may receive from remote email systems could be the following and not limited to:

  • Host does not advertise STARTTLS
  • Could not get remote certificate.


If you wanted to test this, you could use a tool/command called certcheck and if there is a problem you should see it as per the image below:

Exchange 2019 - don't forget to update the tls certificate name after renewing your ssl certificate
The command as show above simply does a check to validate TLS. E.G. certcheck where is your domain.


In the Exchange Management Shell (EMS), there are 4 commands we need to run to update the Send/Receive Connector with the new TLS name as shown below:

  • Get-ExchangeCertificate -Server <ServerName>
  • $TLSCert = Get-ExchangeCertificate -Thumbprint <Paste from command above>
  • $TLSCertName = “$($TLSCert.Issuer)$($TLSCert.Subject)”
  • Set-ReceiveConnector “Servername\ReceiveConnector” -TlsCertificateName $TLSCertName

I perform an IISRESET after a change or you can reboot the server, give it a few minutes to replicate everything and don’t forget to perform this on all servers where you have it set on your Receive Connectors.

If you run the test again, it should be successful.

Hope it helps.

Discover more from COLLABORATION PRO

Subscribe now to keep reading and get access to the full archive.

Continue reading