One of my customers has requested a new certificate from Network Solutions to replace their about-to-expire certificate on their Exchange 2007 CAS server.
I was able to successfully install the certificate, and the required intermediate certificates onto the machine without incident. The certificate shows up properly in the "Personal" My Computer store inside of the Certificates MMC snap-in. It has a valid private key.
I am able to assign the new certificate to services through the use of the Enable-ExchangeCertificate Powershell command. I am able to verify the proper certificate is selected for usage with IIS by immediately running the Get-ExchangeCertificate command.
All is well right up until I issue an IISRESET command. After the IIS services come back up, I find that the certificate has reverted to the original about-to-expire certificate. If I assign the new certificate, remove the old and then restart the services, SSL doesn't come back up at all.
I've tried the following with no success:
- Export the certificate and corresponding private key to a .pfx, remove all related certificates (including Internediate), and re-import the new certificate
- The new certificate is signed with the AES256 cipher. I have applied MS KB948963 hotfix to enable support for the new ciphers, and reset the server
- Tried choosing the new certificate by using IIS manager, and choosing the "Replace" certificate option. I can see the new certificate, select it, and complete the wizard without error, but running IISRESET reverts the certificate