Unable to activate new certificate on Exchange 2007 running IIS6 on Server 2003 x64

One of my customers has requested a new certificate from Network Solutions to replace their about-to-expire certificate on their Exchange 2007 CAS server.

I was able to successfully install the certificate, and the required intermediate certificates onto the machine without incident. The certificate shows up properly in the "Personal" My Computer store inside of the Certificates MMC snap-in. It has a valid private key.

I am able to assign the new certificate to services through the use of the Enable-ExchangeCertificate Powershell command. I am able to verify the proper certificate is selected for usage with IIS by immediately running the Get-ExchangeCertificate command.

All is well right up until I issue an IISRESET command. After the IIS services come back up, I find that the certificate has reverted to the original about-to-expire certificate. If I assign the new certificate, remove the old and then restart the services, SSL doesn't come back up at all.

I've tried the following with no success:
 - Export the certificate and corresponding private key to a .pfx, remove all related certificates (including Internediate), and re-import the new certificate
 - The new certificate is signed with the AES256 cipher. I have applied MS KB948963 hotfix to enable support for the new ciphers, and reset the server
 - Tried choosing the new certificate by using IIS manager, and choosing the "Replace" certificate option. I can see the new certificate, select it, and complete the wizard without error, but running IISRESET reverts the certificate

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
This is not normal behavior when it comes to Exchange certificates. What I would recommend doing is checking the IIS logs and even the event logs on the Exchange server to see if there is any details as to why it is re-verting back. If you open IIS do you see the certificate for Exchange?

Also have you dont a full server power cycle? Another thing, what SP version and RU are you currently running.

Is the certificate that is re-verting back a self-signed cert or is it a 3rd party SSL cert?

mcreedjrAuthor Commented:
I agree this is not normal behavior. I've managed dozens of Exchange environments and never seen this behavior before. Although, I do not have many Exchange 2007 servers, nor Server 2003 servers still in use. I also do not normally procure SSL certificates from Network Solutions.

I have checked both the System event log and the Application event log after I run IISRESET and there are no warnings logged, let alone warnings that would correlate to reversion of the certificate.

I have power cycled the server after I applied the MS KB to enable support for AES256. No change.

Running SP3 with no roll-ups applied.

It is reverting to the previous 3rd party SSL cert. Self-signed is not used.
Will SzymkowskiSenior Solution ArchitectCommented:
Seems like there might be another dependancy using this Exchange cert within IIS? If you remove the old cert what breaks?

Try this..
- install/enable the new cert
- remove the old cert
- do an iisreset
- check the logs to see why the service is not starting

This should give you some insight as to what else is using the cert or any reason why it is adding it back. Also you may have to turn up the logging within IIS to get more info, if the default logs are not providing valuable info.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mcreedjrAuthor Commented:
I followed your steps, although it didn't directly solve the problem, it led me in the right direction.

Long story short, I had permissions problems on the registry key: HKLM\System\Currentcontrolset\services\http\parameters\sslbindinginfo

I deleted the key, and re-created it using the Enable-ExchangeCertificate Powershell command which solved the problem.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.