Applies to: Exchange Server 2007
Topic Last Modified: 2007-09-13

Use the Remove-ExchangeCertificate cmdlet to remove an existing certificate from the local certificate store. If the certificate is a Simple Mail Transfer Protocol (SMTP) Transport Layer Security (TLS) certificate that is also stored in the Active Directory directory service, the Active Directory instance will also be removed when you run this command.

There are many factors to consider when you configure certificates for TLS and Secure Sockets Layer (SSL) services. You must understand how these factors may affect your overall configuration. Before you continue, see Certificate Use in Exchange Server 2007.


Remove-ExchangeCertificate -Thumbprint <String> [-DomainController <Fqdn>]


Parameter Required Type Description




Use this parameter to specify the thumbprint of the certificate that you are removing. Each certificate contains a thumbprint, which is the digest of the certificate data.




To specify the fully qualified domain name (FQDN) of the domain controller that retrieves data from Active Directory, include the DomainController parameter in the command. The DomainController parameter is not supported on computers that run the Edge Transport server role. The Edge Transport server role writes only to the local Active Directory Application Mode (ADAM) instance.

Detailed Description

To run the Remove-ExchangeCertificate cmdlet, the account you use must be delegated the following:

  • Exchange Server Administrator role and local Administrators group for the target server

To run the Remove-ExchangeCertificate cmdlet on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations.

If you want to replace the internal transport certificate for the server by replacing it with another certificate with the same server fully qualified domain name (FQDN), you cannot remove the certificate that is being used. You must create the new certificate for the server FQDN first and then remove the old certificate.

Input Types

Return Types


Error Description



Exceptions Description



This example uses the Remove-ExchangeCertificate command to remove a certificate with the specified thumbprint.

Copy Code
Remove-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e