Expired Exchange 2013 SSL Certificate Still Active Despite attempts to remove it

I have a exchange 2013 server running on server 2012.  The SSL certificate from Comodo expired two days ago.  We purchased a 3 year multi site certificate from Godaddy.  I went through the process of creating the CSR, putting that into Godaddy's CSR request entry form and have received my certificate.  I installed the intermediary certificate and see Godaddy certificate there.

I then go to EAC and complete the CSR and import the certificate.  I then assigned the services IIS, SMTP, POP, IMAP to the certificate.  
I have also looked at IIS manager to verify that IIS is using the correct certificate.  The bindings.

However, when I go to the web site for our OWA, the old expired certificate is still there.  I have been fighting with this for 12 hours now and would appreciate any help I can get.  

Scott
Member_2_6538061Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MAS (MVE)EE Solution GuideCommented:
--> When I go to the web site for our OWA,
Do you mean in IIS?

You can delete the expired certificate.
Remove-Exchangecertificate -thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxx
0
Jason CrawfordTransport NinjaCommented:
Open up MMC and the certificates snap-in and browse to the cert you just installed.  Does the cert icon have a key on it?
0
Member_2_6538061Author Commented:
Yes.  The new certificate has a Key.  It says You have a private key that corresponds to this certificate.
consolecrts.png
Certificate.png
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Member_2_6538061Author Commented:
Yes.  When I say OWA I do mean that I am actually hitting IIS.    

How do I determine what the thumbprint is for "You can delete the expired certificate.
Remove-Exchangecertificate -thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxx"
0
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
Ok, I understand what you need to do.
Right now your certificate is the expired one.
So, you need to set the new one.
certificate-expired.png1st try "IISRESET"
If it doesn't take the new cert, then assign it again. The whole procedure is the one I'll point out now:

Step1 Run
Get-ExchangeCertificate | select Thumbprint,subject,services,not*

Open in new window

sss.pngyou will get all the certificates, and it's validity period (goes from NotBefore datetime to  notAfter datetime)
Those that are expired you can remove it using its thumbprint but do not delete the one called "federation"

Select the thumbprint of the new cert. Then run
Enable-ExchangeCertificate -Thumbprint XXXX -Services IIS,SMTP

Open in new window


Then go to IIS.
look in the Backend site and go to bindings and select the new certificate

then go back to PowerShell and run IISRESET (to reset the IIS).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Member_2_6538061Author Commented:
When looking at the bindings, I am supposed to look at IIS manager on the exchange server correct?
0
MaheshArchitectCommented:
1st logon to webmail from exchange server and check which certificate its showing in padlock?

If its new, just clear browser cache on workstation and check
0
MAS (MVE)EE Solution GuideCommented:
You can determine using this command. This will list you all certificates with subject,issuer and expiry date
Get-ExchangeCertificate | fl issuer,subject,NotAfter

Open in new window


Jose gave you the command(above) to enable services on the right certificate.
0
Tom CieslikIT EngineerCommented:
Did you bind all your email address hosts under Default Web Site in ISS to new cert on port 443 ?
All I mean:

email.yourdomain.com
autodiscover.yourdomain.com
email.yourdomain.local
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
https://www.ssllabs.com/ssltest/analyze.html?d=troycapital.com shows a valid LetsEncrypt SSL cert is currently installed for this domain, which is good till January 2018.

So please update this question with whether your problem remains or has been resolved.

Also, you have correct coverage setup for your cert....

imac> echo QUIT | openssl s_client -connect troycapital.com:443 -servername troycapital.com 2>&1 | openssl x509 -noout -text | grep DNS: 
                DNS:troycapital.com, DNS:www.troycapital.com

Open in new window

0
Member_2_6538061Author Commented:
Thanks to everybody.  We were really close based on the support you gave me.  At 12 midnight, I contacted Microsoft and got help from them that cleared it.  I couldn't afford for the client to go into the next day not having emails, etc.  There were minor things that MS tech did to get us back online.  

Thank you.  Again.  Scott
0
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
Well select the answers that helped you and close the question
2
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.