Cannot remove internal transport certificate in Exchange

I wanted to remove an old TLS certificate from our Exchange server. The old certificate was previously used for IIS and SMTP. I replaced the certificate with a new one, but I was not able to remove the expired one. I got the following error message:

A special Rpc error occurs on server [...]: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate.

(In german: Ein spezieller RPC-Fehler ist auf dem Server [...] aufgetreten. Das interne Transportzertifikat kann nicht entfernt werden, weil dies das Beenden des Microsoft Exchange Transportdiensts bewirken würde. Erstellen Sie ein neues Zertifikat, um das interne Transportzertifikat zu ersetzen. Das neue Zertifikat wird automatisch als internes Zertifkat eingesetzt. Anschließend können Sie das vorhandene Zertifikat entfernen.)

After doing some research, I found out I had to use the PowerShell cmdlet Enable-ExchangeCertificate, to make the new certificate become the new internal transport certificate.

Use the Exchange Admin Center or Get-ExchangeCertificate to get the new certificates thumbprint.

Now use Enable-ExchangeCertificate to replace the internal transport certificate (assuming the thumbprint is 98e0f19b89264facd8fb5dfed8ac60c7dd7fc859):

Enable-ExchangeCertificate -Thumbprint 98e0f19b89264facd8fb5dfed8ac60c7dd7fc859 -Services SMTP,IIS

Now you can remove the expired certificate.

Published on 2022-10-02, 16:44 +0000

Outlook cache mode and calendar items

Wanted to transfer some calendar items into the calendar of another Exchange mailbox. I thought I transferred everything until a user noticed that some items were missing. The user saw more items in the mailbox than me. The solution was to turn off the cache mode of Outlook. With cache mode disabled, I saw all items in the calendar.

Published on 2022-09-05, 19:26 +0000

Departure board in Frankfurt: Blurred

Came across this blurred departure board in Frankfurt Hauptbahnhof (click to view larger version):

Blurred departure board

I really have no idea, what happened here. When I took this photo, it was about 16:30 and the board still showed departures from about 6:00 and 8:00. It was the only board affected. The information on the display is blurred. I guess that the display or rather the computer crashed.

Published on 2022-08-21, 18:02 +0000

Microsoft Edge not printing

Although I prefer Firefox, I really have to admit that the Chromium-based Microsoft Edge is a good browser. Way better than the old Edge (the one with the blue Icon).

Recently we had a problem with Edge not printing anymore. The printing dialogue stayed empty with Edge eventually crashing.

Deleting browser data and a reinstall of Edge did not work. We discovered that this occured only in one certain user profile, so we deleted everything Edge-related from HKCU. This also did not work. Deleting the whole Windows profile was no option, so we decided to export the bookmarks and to delete the folder %localappdata%\Microsoft\Edge. After that, Edge was "fresh" for this user and printing did work again! We re-imported the bookmarks and everything was fine again.

Published on 2022-08-13, 15:26 +0000

Let's Encrypt is for encryption!

… and not for validating a website's identity!

Seriously, I love Let's Encrypt and the idea of providing free TLS certificates (e.g. for HTTPS) and to automatically renew them. In my opinion, there is no reason not to use it when you just want to secure your traffic using TLS encryption.

I often heard that Let's Encrypt provides "false security" because everyone who owns a domain can create as many certificates as they want, even if your intentions are bad. And the lock symbol in the browser's address bar makes people think that the site is trustworthy.

Yeeeessss… I see the point, but that's not a problem of Let's Encrypt! The purpose of Let's Encrypt is to bring TLS (and thus HTTPS) to the masses! Let's Encrypt allows you to encrypt your traffic using TLS - no more, no less. The purpose is not to prove a website is trustworthy! If you really want to prove that you are a trustworthy and really existing organization, you need a higher validation level. Also domain-validated certificates existed long before Let's Encrypt - Let's Encrypt's certificates are nothing else than automatically validated domain-validated certificates.

Just keep using Let's Encrypt. There is no reason not to do so. Don't let people tell Let's Encrypt's certificates are no real certificates. If you just want to encrypt traffic using TLS, you're fine.

Published on 2022-07-27, 19:50 +0000