Unable to replace SSL cert
I have recently replaced an expiring certificate on my Exchange 2013 server running on Server 2012 R2. OWA shows the correct, new SSL certificate; however, Outlook is generating a warning on startup related to an expired cert meaning somehow OWA and Outlook are using different certs. I have replaced many expiring certificates over the years, and I've never run into this issue. Here is the process I followed:
1. Generated CSR from EAC
2. Submit .req file to 3rd party CA (Comodo)
3. Complete pending cert request in EAC using .crt file supplied by Comodo
4. Assign the IIS and SMTP services to new cert
5. Restart IIS
As I said, when viewing the certificate presented by OWA, the new, unexpired certificate is used. Outlook continues to revert to the expired certificate for some reason. Here are the troubleshooting steps I've tried so far:
1. Delete the expired cert completely
2. Reinstall the unexpired cert
3. verify bindings for 'Default Web Site' in IIS on port 443 are set to use the new, unexpired cert
- Subsequently there are two bindings for port 443 which I thought was odd. One for All Unassigned IPs (*) and another for 127.0.0.1. Is this normal?
4. Ran an ExRCA test and verified the Outlook Anywhere test did show the new, unexpired certificate meaning this is only affecting Outlook.
Any help here would be appreciated.
1. Generated CSR from EAC
2. Submit .req file to 3rd party CA (Comodo)
3. Complete pending cert request in EAC using .crt file supplied by Comodo
4. Assign the IIS and SMTP services to new cert
5. Restart IIS
As I said, when viewing the certificate presented by OWA, the new, unexpired certificate is used. Outlook continues to revert to the expired certificate for some reason. Here are the troubleshooting steps I've tried so far:
1. Delete the expired cert completely
2. Reinstall the unexpired cert
3. verify bindings for 'Default Web Site' in IIS on port 443 are set to use the new, unexpired cert
- Subsequently there are two bindings for port 443 which I thought was odd. One for All Unassigned IPs (*) and another for 127.0.0.1. Is this normal?
4. Ran an ExRCA test and verified the Outlook Anywhere test did show the new, unexpired certificate meaning this is only affecting Outlook.
Any help here would be appreciated.
Last Comment
ASKER
You're right, I should have clarified those points. When I reinstalled the new cert I ensured to include the private key, and this is a single Exchange server environment with a Typical installation.
Run a connection test in outlook to make sure it's connecting to the correct CAS server for all the https based services. I know you said you only have one server, but I think give that a shot. It's possible the Autodiscover SCP isn't set to the FQDN or other namespace DNS resolving to the CAS server?
ASKER
Yea I thought of that also. Everything is connecting to the correct servers and URLs. I can't explain it.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
No resolution
Exchange
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.
213K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Also, do you have more than 1 CAS server, that Outlook could potentially be speaking to? If so you would need to export the certificate from that first machine and re-import it to any additional CAS servers. Personally I like to use the same certificate across the global environment, so this is usually a good thing. Of course when you generated the CSR you would have had to use the -PrivateKeyExportable parameter.