by lunarg on March 18th 2019, at 12:45

If you wish to use TLS, or are using TLS authentication in a Office 365 Hybrid environment, and have manually changed or renewed the SSL certificate, you may still get errors about unable to initiate the TLS session (STARTTLS), even though the SSL certificate has been correctly renewed. Just setting the SSL certificate to be used with SMTP is not enough to make TLS work correctly. You also need to (re-)configure the TLS certificate name on your receive connectors.

As stated by the manual:

The TlsCertificateName parameter specifies the X.509 certificate to use with TLS sessions and secure mail. Valid input for this parameter is [I]Issuer[S]Subject. The Issuer value is found in the certificate's Issuer field, and the Subject value is found in the certificate's Subject field. You can find these values by running the Get-ExchangeCertificate cmdlet.

To properly format the contents of TlsCertificateName, you can extract it from the certificate through some rudimentary scripting.

Fire up the EMS and retrieve the current certificates:


You will get a list of all certificate, but you'll only need the one to be used for TLS, which you can extract by specifying its thumbprint. As we need to extract additional information from the certificate, we conviently dump it to a variable.

$cert = Get-ExchangeCertificate -Thumbprint DE67EC3C8D679DC35D171341FEC5148D012B1BAE2

From the variable we created, we can now compile our value for the TLS certificate name:

$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"

With our new variable in place, we can now change every receive connector to modify the TLS certificate name to the new value:

Set-ReceiveConnector "EXSERVER\Client Frontend EXSERVER" -TlsCertificateName $tlscertificatename

If you have multiple receive connectors (or more than one server), repeat the command for every receive connector. The change is effective immediately.

« April 2019»
« You only find out who is swimming naked when the tide goes out. »
Warren Buffett