The msExchInternalTLSCert attribute

Have you ever wondered where Exchange looks to find the certificate for inbound and outbound TLS for the SMTP service?

Well, it’s actually documented in detail here and here. If you read the TechNet articles you can come to the conclusion that Enable-ExchangeCertificate for the SMTP service will stamp the msExchServerInternalTLSCert attribute on the transport server object in AD with the certificate thumbprint you specify in the command.

But what happens if you run Enable-ExchangeCertificate and choose to not overwrite the certificate for SMTP.

If you check the certificate list now, you’ll notice two certificates, both are valid, and apparently both are assigned to SMTP. So which one will Exchange use for X-AnonymousTLS, because I didn’t overwrite the current certificate.

Luckily we know from the TechNet articles that Exchange queries AD to match the thumbprint in the msExchInternalTLSCert attribute during the certificate selection process for X-AnonymousTLS. So, how can I quickly check which one of the certificates is actually being used?

 Import-Module activedirectory
$transportServers = Get-TransportServer|select -ExpandProperty Name
$forest = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Forest.ToString();
$searchbase = "CN=Configuration,DC="+($forest).replace('.',',DC=')
$results = @()

foreach($transportServer in $transportServers)
{ 

    $CertThumbPrint = Get-ADObject -Filter "ObjectClass -eq 'msExchExchangeServer' -and name -eq '$transportServer'" -properties * -SearchBase $searchbase -server $forest|%{[Security.Cryptography.X509Certificates.X509Certificate2]$_.msExchServerInternalTLSCert}|select -expandproperty thumbprint
   $obj = New-Object PSObject -Property @{"TransportServer"=$transportServer;"SMTPCertificate"=$CertThumbPrint}
    $results+=$obj
}
$results|select TransportServer,SMTPCertificate

Michael Hall
Service Engineer
Office 365