Unable to replace SSL cert
Posted on 2014-12-06
I have recently replaced an expiring certificate on my Exchange 2013 server running on Server 2012 R2. OWA shows the correct, new SSL certificate; however, Outlook is generating a warning on startup related to an expired cert meaning somehow OWA and Outlook are using different certs. I have replaced many expiring certificates over the years, and I've never run into this issue. Here is the process I followed:
1. Generated CSR from EAC
2. Submit .req file to 3rd party CA (Comodo)
3. Complete pending cert request in EAC using .crt file supplied by Comodo
4. Assign the IIS and SMTP services to new cert
5. Restart IIS
As I said, when viewing the certificate presented by OWA, the new, unexpired certificate is used. Outlook continues to revert to the expired certificate for some reason. Here are the troubleshooting steps I've tried so far:
1. Delete the expired cert completely
2. Reinstall the unexpired cert
3. verify bindings for 'Default Web Site' in IIS on port 443 are set to use the new, unexpired cert
- Subsequently there are two bindings for port 443 which I thought was odd. One for All Unassigned IPs (*) and another for 127.0.0.1. Is this normal?
4. Ran an ExRCA test and verified the Outlook Anywhere test did show the new, unexpired certificate meaning this is only affecting Outlook.
Any help here would be appreciated.