Notes

I wanted to remove an old TLS certificate from our Exchange server. The old certificate was previously used for IIS and SMTP. I replaced the certificate with a new one, but I was not able to remove the expired one. I got the following error message:

A special Rpc error occurs on server [...]: The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate.

(In german: Ein spezieller RPC-Fehler ist auf dem Server [...] aufgetreten. Das interne Transportzertifikat kann nicht entfernt werden, weil dies das Beenden des Microsoft Exchange Transportdiensts bewirken würde. Erstellen Sie ein neues Zertifikat, um das interne Transportzertifikat zu ersetzen. Das neue Zertifikat wird automatisch als internes Zertifkat eingesetzt. Anschließend können Sie das vorhandene Zertifikat entfernen.)

After doing some research, I found out I had to use the PowerShell cmdlet Enable-ExchangeCertificate, to make the new certificate become the new internal transport certificate.

Use the Exchange Admin Center or Get-ExchangeCertificate to get the new certificates thumbprint.

Now use Enable-ExchangeCertificate to replace the internal transport certificate (assuming the thumbprint is 98e0f19b89264facd8fb5dfed8ac60c7dd7fc859):

Enable-ExchangeCertificate -Thumbprint 98e0f19b89264facd8fb5dfed8ac60c7dd7fc859 -Services SMTP,IIS

Now you can remove the expired certificate.