When you update your SSL certificate on your Exchange Servers it is also a necessary action to update both the Send and Received Connectors that have bindings. If this is not performed, then firstly you won’t be able to delete the old certificate as it is bound to the connector but more importantly, and certainly in a Hybrid scenario, you can break mail flow if the server that is sending requires validation of a TLS connection.
The good news is that it is an easy task to do. Follow these PowerShell steps to do this.
Get the Thumbprint of the certificate you need to apply to the connector.
get-exchangecertificate | ft
Then you can use that in the following command
$cert = get-exchangecertificate -thumbprint XX $tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"
This will setup the $tlscertificatename with the details needed to apply to the connectors.
Then use the following PowerShell to apply the certificate to both the Send and Receive Connectors. Obviously you will need to edit those commands with the actual connector names.
Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename Set-ReceiveConnector "EXCHANGESERVER\Default Frontend EXCHANGESERVER" -TlsCertificateName $tlscertificatename
Once this is done you are able to delete any old certificates that you may have. Note that there is no need to restart any services as they will take effect immediately.
** QUICK ADDITIONAL NOTE **
When renewing certificates it is quite common for the name of the certificate to stay the same. That means that when you update the certificate on the send connector it will say that no updates have been made. But you still can’t delete the old certificate because it thinks it is applied to the Send Connector.
To fix this, just set the certificate that is assigned to the Send Connector to NULL. Use this command.
Set-SendConnector "Outbound to Office 365" -TlsCertificateName $NULL
Then you can remove the old certificate. After which you can just apply the correct certificate to the Send Connector.