Old SSL Cert Still Being Presented In Outlook - Exchange 2010

Hi EE peeps!

After creating a new SSL cert in Exchange, users are still getting the old, expired cert in their Outlook client. I have checked IIS bindings and made sure the new cert is in https. I have reset IIS and also had a user restart their computer. The old cert has been deleted from EMC. Yes, I've run the "get-exchangecertificate | fl" cmdlet and the old cert is not there, just the new one.

Any thoughts on how to fix this?

Error showing cert being used is expired.
Paul WagnerFriend To Robots and RocksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Have you Enabled the new Exchange Certificate? Using the Enable-ExchangeCertificate cmdlet?

Also have you tried to re-create the Outlook profile for a user that is encountering this issue?

Greg BessoIT Solutions EngineerCommented:
The areas I would look next are within Exchange management console. You created the new cert, but did you bind the services to actually use it? Usually the old one is still there and binded, you have to move services to the new cert and then optionally remove the old one too.

The Microsoft KB article for that is: https://technet.microsoft.com/en-us/library/dd351257(v=exchg.141).aspx 

Other than that, do you have any proxies or load balancers in front of Exchange that may have the old certificate still in use?
Paul WagnerFriend To Robots and RocksAuthor Commented:
Yes, the cert is enabled.
Yes, I've recreated an Outlook profile for a user. Didn't work.

Yes, the services are bound to the new cert.
Yes, the old cert has been deleted.
No proxies or load balancers.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Greg BessoIT Solutions EngineerCommented:
Does autodiscover.<yourdomain>.com resolve to your servers local host IP or to another system? If you recycle your Exchange IIS the new cert would be used unless you still have the old one mapped. Check in IIS directly, what do you see? Do you have any load balancers or proxies between the clients and your Exchange server(s)? Also how many servers are in your deployment, just wondering.
Will SzymkowskiSenior Solution ArchitectCommented:
Does this happen for all users or just a couple? Have you checked the time on the Exchange server to ensure that it is correct and also double check the cert as well.

Do you get a cert error going to the OWA page?

Not that you should have to do this but have you tried recycling all of the Exchange Server services and or reboot the CAS server?

Paul WagnerFriend To Robots and RocksAuthor Commented:
This might clear some things up.

I am using:
-Internal CA to sign exchange.domain.local
-External CA to sign autodiscover.domain.com and mail.domain.com

The external (GoDaddy) CA has been given the IIS and SMTP bindings in the EMC.

I have reset IIS already and everyone still gets the old cert
No load balancers or proxies (deja vu?)
One Exchange server

Yes, this happens for all users.
No cert error on OWA. The new cert shows with 2018 expiration.
Greg BessoIT Solutions EngineerCommented:
But did you look at the IIS console, at the Exchange website bindings to verify what certificate shows up there?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Paul WagnerFriend To Robots and RocksAuthor Commented:
IIS, EMC and EMS do not show the old cert. It is gone. Only the new cert is showing.
Greg BessoIT Solutions EngineerCommented:
Pretty weird. Doing some online searches, finding hits about this SCP for Exchange that is used before DNS is even used in some configurations.  Let's check your settings. Do the following...

Get-ClientAccessServer | fl *

Look for this AutoDiscoverInternalUri property and see what it's pointing to. Just thinking out loud, not sure if will help but can't hurt.
Paul WagnerFriend To Robots and RocksAuthor Commented:
Greg BessoIT Solutions EngineerCommented:
When you go to that URL from your computer (and from one of the computers that pose the problem) do you get a valid page or file loading or a warning?
Paul WagnerFriend To Robots and RocksAuthor Commented:
Here is what I get

Initial warning
XML file
Paul WagnerFriend To Robots and RocksAuthor Commented:
... to add, the SSL cert being shown at the Autodiscover.xml page is the NEW cert.

New cert being used
Greg BessoIT Solutions EngineerCommented:
That's good progress. So the browser test is also failing and has a certificate warning. If it's the new cert, am wondering why it is not seen as valid. We'd have to look some more cert details to ensure the valid from/to dates, the subject name, the subject alternate name / SAN entries are valid.

You are getting the "does not match the URL" error. Compare your old cert to the new one and see what might be different.
Paul WagnerFriend To Robots and RocksAuthor Commented:
OK, it appears to be fixed!

I restarted the Default Web Site in IIS and did an IISreset for the 10th time, and this time it worked... no idea why it took so many resets, though.

The URL mismatch is because CAB forum doesn't allow private domains to be secured by 3rd party CAs any more. I will have to change all of my internal addresses for owa, autodiscover, etc. to the external address... but that's an entirely different matter.

Thanks for your help in troubleshooting.
Greg BessoIT Solutions EngineerCommented:
Awesome Paul, glad you got your issue resolved. I was thinking that could be quite frustrating to deal with. Have a good one!
Paul WagnerFriend To Robots and RocksAuthor Commented:
It was tough to pick which answers were the solution since performing several IISresets is what finally made the new cert show up... something that was not suggested.... but your inquiries led me to the solution and I appreciate it. Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.