To add a large point to that, the self-signed cert should *not* be removed or you'll break it. I don't know the intimate details however it's my understanding internal servers and consoles etc use this to communicate. I snaped a lab recently and removed it and after a reboot it was awefully broken...
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Michael B. Smith Sent: Tuesday, March 28, 2017 5:28 PM To: exchange@lists.myitforum.com Subject: [Exchange] RE: Removing Self-Issued Cert: Use openssl to determine what cert is actually being presented. Or turn up logging on the relevant receive and send connectors and examine those logs for the third-party. The LAST certificate set for use by SMTP should be the one that is used, except internally, which should use the internal default certificate. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Orlebeck, Geoffrey Sent: Tuesday, March 28, 2017 10:24 AM To: 'exchange@lists.myitforum.com' Subject: [Exchange] Removing Self-Issued Cert: We run Exchange 2010 in a two-node DAG. There is a third-party hosted product that we have an IPsec VPN with, but they fail to send email as they do not trust the certificate being presented to them. On each node, there is a self-signed certificate each server has issued to itself (EXSRVR1/EXSRVR2). We have an internal CA and third-party trusted cert set to SMTP services, is there any issue disabling/removing the SMTP service from the self-issued certificates? Looking at this TechNet link https://technet.microsoft.com/en-us/library/dd351257(v=exchg.141).aspx) I can set the assigned services to 'None'. However, I'm curious if there will be any issues from internal Outlook clients using the Root CA certificate for SMTP (since it is trusted across all domain joined devices). Here's a sanitized output of one of our CAS server's certificates: [cid:image001.png@01D2A7EA.8A66E270] I appreciate any insight. Thank you. -Geoff Confidentiality Notice: This is a transmission from Montage Health. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you.
