• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 43
  • Last Modified:

New SSL Certificate on Exchange 2013 not working

I just installed an SSL Certificate from godaddy to exchange 2013. Everything looks correct. I edited the certificate and checked on SMTP, IMAP, POP and IIS. When I go to https://mail.domain.com/owa or /ecp I get a security error. It shows the self assigned certificate servername and servername.domain.local

I did iiseset

What am I doing wrong?
0
ajdratch
Asked:
ajdratch
  • 6
  • 5
1 Solution
 
Wayne88Commented:
What type of SSL cert did you get?

Can you run "Get-ExchangeCertificate -Server Mailbox01" in powershell to see all the installed SSL certs then post here?  Omit any sensitive information such as domain name for privacy.

Here are the parameters: https://docs.microsoft.com/en-us/powershell/module/exchange/encryption-and-certificates/get-exchangecertificate?view=exchange-ps

Verify that your new SSL cert is on the list then ensure that the correct SSL certificate is assigned for use.

https://practical365.com/exchange-server/exchange-2013-assign-ssl-certificate-to-services/
0
 
ajdratchAuthor Commented:
Attached is a screen shot
Capture.JPG
0
 
Wayne88Commented:
Is the first entry the SSL certificate for the Exchange server?  Can you verify that the thumprint is the same as the new SSL certificate?  If it matches the old one then we know the new SSL cert is not installed.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
ajdratchAuthor Commented:
The entry that I erased was their internet domain. That thumb print matches the new certificate
0
 
Wayne88Commented:
Ok, have a look at these articles.  There are a lot of resources here and the fix may have already been mentioned.  Providing that you have the correct SSL certificates and all the required hostnames are listed on your SSL cert.

https://www.experts-exchange.com/articles/29662/Exchange-2013-Fix-for-an-Invalid-certificate-and-related-issues.html

https://www.experts-exchange.com/articles/31221/Fix-for-Exchange-server-2016-certificate-and-related-issues.html
0
 
ajdratchAuthor Commented:
I went through that article and it did not help. This is what I have.

When I browse to https://mail.domain.net/owa Firefox shows "Mail.domain.net uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for the following names: internalservername, internalservername.domain.local

Set-WebServicesVirtualDirectory shows
Server      : internalservername
Identity    : internalservername\EWS (Default Web Site)
InternalUrl : https://mail.domain.net/EWS/Exchange.asmx
ExternalUrl : https://mail.domain.net/EWS/Exchange.asmx

Get-ExchangeCertificate shows:
AA81C2DC19A5C674DDEAC04290C4FE8A1E9D87D6  IP.WS..    CN=domain.net, OU=Domain Control Validated
7D5C273C8DC53712D270D2EE6788411769327607  ....SF.    CN=Federation
2DE6A57F656DA1356F9DD9463C881F85B81853BD  ....S..    CN=Microsoft Exchange Server Auth Certificate
58943B1ED433BA31D9FF0C38916B1492FC71AE5F  ...WS..    CN=internalservername
72EF5808AAD80281751452823DC74FF7F7EA835A  .......    CN=WMSvc-internalservername
0
 
Wayne88Commented:
Can you confirm the steps in Exchange 2013 EAC (step a,b,c)?  This will relate which certificate is used for the checked services.  If this is set then Exchange should use the chosen SSL cert.

https://www.experts-exchange.com/articles/29662/Exchange-2013-Fix-for-an-Invalid-certificate-and-related-issues.html

Or you can also use Exchange PS and do the "Enable-ExchangeCertificate -Thumbprint number -Services POP,IMAP,SMTP,IIS" command.  Replace Thumbprint number with actual.
0
 
ajdratchAuthor Commented:
I just verified everything is correct.

In IIS when I click to browse the default website on port 443 the browser comes up with https://localhost with a certificate error "The security certificate presented by this website was issued for a different website's address."
0
 
ajdratchAuthor Commented:
I ran netsh http show sslcert
IP:port 0.0.0.0:443 is using the correct certificate

IP:port 192.168.0.5 is not using the correct certificate.

My guess is if I can fix that, I may be all set
0
 
Wayne88Commented:
Yes that will be required to receive internal HTTP/HTTPS request in IIS.  Alternatively, you can just bind the SSL cert to all IP address (step 12).  See this link:

https://www.digicert.com/csr-ssl-installation/iis-8-and-8.5.htm
0
 
ajdratchAuthor Commented:
Thanks. I added it to IIS and it worked
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now