We have been using a let's encrypt certificate on our Exchange 2019 server for several years. in a recent renewal, the certificate lost the SMTP service assignment. in troubleshooting the problem, I found the Network Service permission was missing. Whenever i try to modify the permissions for the new certificate, it fails and states "parameter is incorrect".
if i try to take ownership, it also fails.
try deleting the certificate and renew it. And do a SMART check on your drives. (unexpected) permission problems and weird errors like "parameter is incorrect" is usually a sign that files and data is getting corrupt, and that your harddrive is soon going 6 feet under the ground.
There's also the possibility that Windows Exchange 2019 expects the TLS Client Auth EKU (maybe for company internal server to server connections) and isn't finding it in the provided certificate as Let's Encrypt has removed this EKU.
I don't have any Exchange specific resources to help you however here's a blog post explaining the change. Ending TLS Client Authentication Certificate Support in 2026 - Let's Encrypt
That doesn't sound like anything specific to the cert which are just files. But, perhaps something your ACME Client is doing differently than before.
I moved your post to the Help section. You would have been shown the questions below had you posted in Help first. At minimum the info about your o/s and the ACME Client will be helpful. The other parts may be as well. Thanks
=========================================
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version if you're using Certbot):
You shouldn't have to mess with permissions at all. If you are using Enable-ExchangeCertificate via powershell (using posh-acme, win-acme, simple-acme, Certify The Web etc) it will take care of permissions, just ensure that your cert is being imported into the normal Local Machine "My"/Personal certificate store.
It can also be things like you are suddenly using modern PFX algorithms instead of the classic legacy ones windows typically supports.
So it's going to depend how you are getting the cert, what key type it has and how you are applying it.
In my experience with Windows server certs, that 'parameter is incorrect' message can also pop up if the account you're logged in with doesn't have full control over the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder where the keys are physically stored. Might be worth checking the folder-level permissions if the certificate itself is refusing to let you modify the Network Service assignment.