Skip to content

Internal Transport Certificate


The Internal Transport Certificate in Exchange Server is used in Exchange Server Front-End to Back-End MailFlow scenarios as well as in scenarios in which the Exchange Servers communicate with each other, using the SMTP (Simple Mail Transfer Protocol) protocol. It is generated on a per-server base during the Exchange Server setup process and contains the computers NetBIOS (Network Basic Input/Output System) name as well as the FQDN (Fully Qualified Domain Name).

A missing Internal Transport Certificate can lead to a broken MailFlow on or with the affected machine. It's therefore essential to have a valid certificate for this purpose on the machine. We recommend to not replace the self-signed certificate which was created by Exchange itself.

What does the check do?

The check queries the certificate which is marked as Internal Transport Certificate on the server against which the script is currently running. The script will throw a warning if the certificate cannot be found on the machine. It must then be recreated by the Exchange Server administrator and set as new Internal Transport Certificate.

How to create a new Internal Transport Certificate?

You can run the following PowerShell code from an elevated Exchange Management Shell (EMS). It will generate a new Internal Transport Certificate which replaces the existing one on the machine where the command was executed.

$newInternalTransportCertificateParams = @{
    Server               = $env:COMPUTERNAME
    KeySize              = 2048
    PrivateKeyExportable = $true
    FriendlyName         = $env:COMPUTERNAME
    DomainName           = $env:COMPUTERNAME
    IncludeServerFQDN    = $true
    Services             = "SMTP"
    Force                = $true
    ErrorAction          = "Stop"

New-ExchangeCertificate @newInternalTransportCertificateParams

Included in HTML Report?


Additional resources