Link to home
Start Free TrialLog in
Avatar of Member_2_6538061
Member_2_6538061Flag for United States of America

asked on

Expired Exchange 2013 SSL Certificate Still Active Despite attempts to remove it

I have a exchange 2013 server running on server 2012.  The SSL certificate from Comodo expired two days ago.  We purchased a 3 year multi site certificate from Godaddy.  I went through the process of creating the CSR, putting that into Godaddy's CSR request entry form and have received my certificate.  I installed the intermediary certificate and see Godaddy certificate there.

I then go to EAC and complete the CSR and import the certificate.  I then assigned the services IIS, SMTP, POP, IMAP to the certificate.  
I have also looked at IIS manager to verify that IIS is using the correct certificate.  The bindings.

However, when I go to the web site for our OWA, the old expired certificate is still there.  I have been fighting with this for 12 hours now and would appreciate any help I can get.  

Avatar of M A
Flag of United States of America image

--> When I go to the web site for our OWA,
Do you mean in IIS?

You can delete the expired certificate.
Remove-Exchangecertificate -thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxx
Open up MMC and the certificates snap-in and browse to the cert you just installed.  Does the cert icon have a key on it?
Avatar of Member_2_6538061


Yes.  The new certificate has a Key.  It says You have a private key that corresponds to this certificate.
Yes.  When I say OWA I do mean that I am actually hitting IIS.    

How do I determine what the thumbprint is for "You can delete the expired certificate.
Remove-Exchangecertificate -thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxx"
Avatar of J0rtIT
Flag of Venezuela, Bolivarian Republic of image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
When looking at the bindings, I am supposed to look at IIS manager on the exchange server correct?
1st logon to webmail from exchange server and check which certificate its showing in padlock?

If its new, just clear browser cache on workstation and check
You can determine using this command. This will list you all certificates with subject,issuer and expiry date
Get-ExchangeCertificate | fl issuer,subject,NotAfter

Open in new window

Jose gave you the command(above) to enable services on the right certificate.
Did you bind all your email address hosts under Default Web Site in ISS to new cert on port 443 ?
All I mean:
email.yourdomain.local shows a valid LetsEncrypt SSL cert is currently installed for this domain, which is good till January 2018.

So please update this question with whether your problem remains or has been resolved.

Also, you have correct coverage setup for your cert....

imac> echo QUIT | openssl s_client -connect -servername 2>&1 | openssl x509 -noout -text | grep DNS: 

Open in new window

Thanks to everybody.  We were really close based on the support you gave me.  At 12 midnight, I contacted Microsoft and got help from them that cleared it.  I couldn't afford for the client to go into the next day not having emails, etc.  There were minor things that MS tech did to get us back online.  

Thank you.  Again.  Scott
Well select the answers that helped you and close the question