Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Outlook pulling incorrect SSL certificate from Exchange 2010 SP 2 server

Posted on 2013-06-17
Medium Priority
1 Endorsement
Last Modified: 2013-06-19
I have a 3 year old Exchange 2010 server that is fully patched.

I replaced an expiring SSL cert with a new one.  The new one is valid from 6/17/13 to 6/27/15 with the subject of mail.publicdomainname.com.  However, when I open up Outlook, it pulls up an expired certificate that is for publicdomainname.com.  What's odd is that I don't have that invalid certificate anywhere, and it's not something I created as far as I can tell.  I've deleted all other certificates on the server and left only the new valid certificate that expires in 2015.  I've restarted IIS and the mxexchangetransport services.

Screen shot 1 and 2 attached are what I get when I open Outlook and connect to my Exchange server (from outside the LAN).  That is the invalid certificate that I should not see and I want to replace with the valid certificate, but not sure where it's configured in Exchange Management Console.  

Screen shot 3 is what I see from Exchange webmail.  It shows my valid certificate.  Screen shot 4 is the list of certs you can see from Exchange Management Console.  Do you have any suggestions for where I should go to make sure that Outlook is using the right certificate?  I've gone in and assigned all services to the proper certificate (screen shot 5).

Thanks in advance.
Question by:dmessman
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Assisted Solution

gkousikan earned 400 total points
ID: 39255261
1.run Get-ExchangeCertificate |fl cmdlet to verify if the certificate was assigned to services.
   SAN(Subject Alternative Name) of the certificate includes autodiscover.

2.Any other device issuing the old certificate. Like proxy server/loadbalancer device.
LVL 19

Expert Comment

ID: 39255262
It seem that your Outlook Anywhere used old certificate.

Could you try this link to Outlook Anywhere: https://www.testexchangeconnectivity.com/

LVL 63

Accepted Solution

Simon Butler (Sembee) earned 1600 total points
ID: 39255462
This sounds like Autodiscover issues.
If you browse to https://example.com then you should get an SSL prompt of some description. That will allow you to see the SSL certificate and possibly where it is coming from.
You should also check where the host name resolves to.

If it is happening from outside the network then it will be Autodiscover and it will be because there is an SSL certificate on the public web site. Autodiscover queries a number of URLs, one of which is the root of the domain.

This is further complicated by some hosting control panels having Autodiscover support for their own purposes, to the URL that Outlook is querying is actually valid. If that is the case then you will need to speak to your hosting company to get them to block it.

You can see what Autodiscover is doing via the Microsoft test site at the link above, or through Outlook itself. http://semb.ee/adt


Author Comment

ID: 39255847
you are all totally right - it is autodiscover, and it is not my certificate that is the problem.

If I go to https://publicdomainname.com - it shows me the invalid certificate that expired on 4/27/13 that I am having the truoble with and https://publicdomainname.com/autodiscover/autodiscover.xml DOES respond with a 404 error.  The page doesn't exist, but the web site is responding with a 404 error.  

I'll have to figure this out with my web host.

Thanks for your help

Author Closing Comment

ID: 39260975
https://publicdomainname.com/autodiscover/audtodiscover.xml did not exist on my web host, but the SSL certificate that was being used by the web host was out of date.  If the certificate was in date, this would have been a non-issue as the autodiscover process would have realized the web server wasn't giving a proper response, but when the certificate became out of date, this generated an error so that the autodiscover process could not move on.

I had our web server people disable port 443 on the web server since we don't use SSL on our web site anyway.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question