Solved

Unable to replace SSL cert

Posted on 2014-12-06
6
90 Views
Last Modified: 2015-01-03
I have recently replaced an expiring certificate on my Exchange 2013 server running on Server 2012 R2.  OWA shows the correct, new SSL certificate; however, Outlook is generating a warning on startup related to an expired cert meaning somehow OWA and Outlook are using different certs.  I have replaced many expiring certificates over the years, and I've never run into this issue.  Here is the process I followed:

1. Generated CSR from EAC
2. Submit .req file to 3rd party CA (Comodo)
3. Complete pending cert request in EAC using .crt file supplied by Comodo
4. Assign the IIS and SMTP services to new cert
5. Restart IIS

As I said, when viewing the certificate presented by OWA, the new, unexpired certificate is used.  Outlook continues to revert to the expired certificate for some reason.  Here are the troubleshooting steps I've tried so far:

1. Delete the expired cert completely
2. Reinstall the unexpired cert
3. verify bindings for 'Default Web Site' in IIS on port 443 are set to use the new, unexpired cert
    - Subsequently there are two bindings for port 443 which I thought was odd.  One for All Unassigned IPs (*) and another for 127.0.0.1.  Is this normal?
4. Ran an ExRCA test and verified the Outlook Anywhere test did show the new, unexpired certificate meaning this is only affecting Outlook.

Any help here would be appreciated.
0
Comment
Question by:terminalb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 10

Expert Comment

by:nashiooka
ID: 40485426
Forgive me but after step 3 did you import the certificate from comodo back to the machine that generated the original CSR?  If you don't do that it will be missing the private key and cause all sorts of issues.

Also, do you have more than 1 CAS server, that Outlook could potentially be speaking to?  If so you would need to export the certificate from that first machine and re-import it to any additional CAS servers.  Personally I like to use the same certificate across the global environment, so this is usually a good thing.  Of course when you generated the CSR you would have had to use the -PrivateKeyExportable parameter.
0
 
LVL 2

Author Comment

by:terminalb
ID: 40486809
You're right, I should have clarified those points.  When I reinstalled the new cert I ensured to include the private key, and this is a single Exchange server environment with a Typical installation.
0
 
LVL 10

Expert Comment

by:nashiooka
ID: 40497340
Run a connection test in outlook to make sure it's connecting to the correct CAS server for all the https based services.  I know you said you only have one server, but I think give that a shot.  It's possible the Autodiscover SCP isn't set to the FQDN or other namespace DNS resolving to the CAS server?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:terminalb
ID: 40501168
Yea I thought of that also.  Everything is connecting to the correct servers and URLs.  I can't explain it.
0
 
LVL 2

Accepted Solution

by:
terminalb earned 0 total points
ID: 40522730
Closing as unresolved.
0
 
LVL 2

Author Closing Comment

by:terminalb
ID: 40528909
No resolution
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
Large Outlook files lead to various unwanted errors and corruption issues. Furthermore, large outlook files can also make Outlook take longer to start-up, search, navigate, and shut-down. So, In this article, i will discuss a method to make your Out…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question