So our SAN SSL certificate was coming up for renewal and I really wanted to expand what was covered by it to include more devices. In general anything internal was using a self signed certificate and anything external used the SAN SSL. That worked fine but when it came time for renewal I figured why not just get a wildcard SSL and assign it to anything I could. Also would keep me from having to update subject names when there was a change.
So I bought a Wildcard SSL from GoDaddy and started assigning it to everything. Switched out the certificate on our firewall and VPN clients, mail server, web server, etc. Everything seemed to work fine. Then it came time to remove the old one once things were tested. Removing from IIS was fine, removing from the firewalls likewise fine, but removing from Exchange Control Panel gave the error in the title.
Now we do have a Exchange Online Hybrid deployment setup with centralized mail transport. We use a cloud based Barracuda spam/malware filter so all email in and out of the company goes through them then to our internal mail server. Any mailbox on Exchange Online then goes from our mail server to it and back. Well apparently when I set this up it made a send connector to route mail to Exchange Online and since it uses TLS attached the certificate that was currently being used which I was now trying to delete.
Unfortunately you can’t just go into the Send Connector in the ECP and reassign the certificate but you can do it by following some steps based on the Microsoft Set-SendConnector page. First get the list of your send connectors and the list of your certificates:
Copy the send connector that was in the error message and also the thumbprint for your new certificate. Next we will use that certificate to pull out the information needed to assign to the send connector and assign it:
$cert = Get-ExchangeCertificate -Thumbprint (your thumbprint)
$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"
Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename
Once your send connectors are updated you should be able to remove the old certificate. Also if you are using TLS on your receive connectors you will want to do the exact same thing but using the Set-ReceiveConnector command.
Note: If your new certificate has the exact same subject name then it might not update. You’ll have to remove it first using:
Set-SendConnector -Identity <connector name> -TlsCertificateName $Null
See https://learn.microsoft.com/en-us/exchange/troubleshoot/mailflow/cannot-remove-installed-certificate for more information.