Kennedy Krieger Institute Helpdesk Portal

1.    First check that the certificate is assigned to the services that it should be. This most likely would be SMTP and possibly IIS

2.    Next open Exchange Management Shell and check the queue using Get-Queue to see if it is healthy or backed up. If you see the DeliveryType in a Retry state and a high message count. This indicates several messages stuck in the queue unable to send.

3.    Next run Get-ExchangeCertificate to pull the list of exchange certificate and capture the thumbprint of the new certificate.

4.    Next check the send connector using the command Get-SendConnector -identity <name of the send connector> | fl  and capture the TlsCertificateName

5.    Next run compare the certificate that should be issued and the applied certificate to the send connector using Get-ExchangeCertificate -Thumbprint <Thumbprint captured in step 3> | fl the <I> in step 4 is equal to Issuer and the following after the comma is the subject of certificate. If they do not match this is the issue and the following step will update the certificate.

6.    Next run the following command to update the certificate.                                                  

•  $TLSCert = Get-ExchangeCertificate -Thumbprint <Thumprint captured in step 3> 
•   $TLSCertName = "<I>$($TLSCert.Issuer)<S>$($TLSCert.Subject)" 
•   Set-SendConnector "name of the send connector" -TlsCertificateName $TLSCertName

7.    Now you can repeat the steps for receive connectors with the following commands

•  Set-ReceiveConnector "servername\receive connector name" -TlsCertificateName $TLSCertName