Avatar of Peter Williams
Peter WilliamsFlag for United Kingdom of Great Britain and Northern Ireland asked on

Q1 Does a dedicated Exchange server require multiple SSL certificates?

Recently taken over support for an educational customer.


SSL cert expired yesterday on exchange 2013 mail running on a 2016 server 

Created CSR and obtained new certificate and installed OK


Deleted old certificate and set SMTP, IPAP, POP and IIS services for new certificate in EAC


Now have SSL "Not Secure" errors on both OWA and Outlook - Outlook 2013 fails to connect'


MS Remote connectivity Analyser shows " A certificate chain couldn't be constructed for the certificate."


Using MMC  I find there are multiple valid certificates installed on the server 


Q1 Does a dedicated Exchange server require multiple SSL certificates?

Q2 Does the "Intended Purposes" of the new certificate need to include "Client Authentication"?

Q3 How do I fix the SSL chain issue?


Exchange

Avatar of undefined
Last Comment
M A

8/22/2022 - Mon
SOLUTION
M A

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Peter Williams

Correction:
MS Remote connectivity Analyser shows old certificate expiry date.

Open in new window


ASKER
Peter Williams

-->Q1 Does a dedicated Exchange server require multiple SSL certificates?
No

Am I safe to delete all the other certificates?
M A

Please check the configuration of IIS as commented above.
i.e. New certificate should be enabled on IIS.

-->Am I safe to delete all the other certificates?
No not now. You have to change the certificate in use first.

You should have the following certificates in server.

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
Peter Williams

Current certs as listed

ASKER
Peter Williams

IIS Server Certificates

ASKER
Peter Williams

New Cert shows in IIS assume this means it is enabled?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Peter Williams

Default Web Site and Exchange Backend Bindings point to new Cert.
M A

-->Default Web Site and Exchange Backend Bindings point to new Cert.
No. Please check the above article and assign certifiacte accordingly
David Favor

Q1 Does a dedicated Exchange server require multiple SSL certificates?

No.

Not for incoming SMTP or outgoing SMTP or IMAP.

Q2 Does the "Intended Purposes" of the new certificate need to include "Client Authentication"?

Unsure what "Client Authentication" might mean.

SMTP in/out can be Private CA certs + I use free https://LetsEncrypt.org certs for all certs, as this keeps certs simple.

For IMAP, you'll wrap either 1x host or multiple hosts with real certs... LetsEncrypt or other... to avoid users being constantly prompted about accepting suspicious certs or other cryptic messages... depending on client being used...

Q3 How do I fix the SSL chain issue?

You generate a valid cert.... either Private CA cert or paid cert of https://LetsEncrypt.org free cert, then use the correct chain file.

For example, with https://LetsEncrypt.org free certs you'll use the fullchain.pem file which includes the final cert + all intermediate certs.
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
Peter Williams

The TrustCor Premium DV cert download says:

"Includes all the necessary certificates in one file. This format includes the intermediary CA certificate(s) and is supported by popular web servers for the easiest integration."


MS Exchange SSL test says:
The certificate chain has errors. Chain status = NotTimeValid
Apple Mail says:
Expired 09/10/2021

Seems to have retained the old cert info despite the new cert installed....
M A

Please run the following command and make sure IIS is enabled on the 3rd party certificate.
Get-ExchangeCertificate | fl notafter,services,issuer

Open in new window

ASKER
Peter Williams

 Shows 3rd party certificate :

NotAfter : 09/10/2022 17:38:15
Services : IMAP, POP, SMTP
Issuer   : CN=TrustCor DV SSL CA - G2 - RSA, O=TrustCor Systems S. de R.L., C=PA

NotAfter : 04/05/2026 16:41:26
Services : SMTP, Federation
Issuer   : CN=Federation

NotAfter : 24/02/2022 23:59:59
Services : SMTP
Issuer   : CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB

NotAfter : 04/10/2025 11:13:06
Services : IMAP, POP, SMTP
Issuer   : CN=Mail

NotAfter : 06/04/2024 15:50:45
Services : IMAP, POP, IIS, SMTP
Issuer   : CN=Mail

NotAfter : 10/03/2024 11:46:23
Services : SMTP
Issuer   : CN=Microsoft Exchange Server Auth Certificate

NotAfter : 06/04/2024 12:44:52
Services : IIS, SMTP
Issuer   : CN=Mail01

NotAfter : 03/04/2029 11:44:28
Services : None
Issuer   : CN=WMSvc-MAIL01


Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
M A

You have to enable IIS on the 3rd party certificate.
Please follow my article posted in my 1st comment.
ASKER
Peter Williams

Sorry - do not understand (or can find) "You have to enable IIS on the 3rd party certificate."
M A

Read from here till end of the article.

All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
DEMAN-BARCELO (MVP) Thierry

Normal usage of Exchange needs several certificates:

A least one public certificate is needed for the default IIS on port 443, and all normal usages with clients and SMTP
=> This certificate is generally bought (with the name autodiscover, and the name selected for user access)

The default certificate named "Exchange" is created by Microsoft and needed for Exchange Backend on port 443 and internal SMTP.
=> this certificate (not trusted) lasts 5 years, and can be renewed

The Federation certificated is needed and updated if Hybrid assistant is used.

Generally, don't remove certificates generated by the system as this one: CN=WMSvc-MAIL01
ASKER
Peter Williams

Hi MAS,

IIS is/was already enabled for the new cert. - Had used EAC to enable but checked using EMS as deccribed.

Still showing old cert date using OWA and vis Apple Mail

Any suggestions?
DEMAN-BARCELO (MVP) Thierry

Have you restarted IIS ?

"iisreset -restart"
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Peter Williams

Yes - to no effect - still showing expired Cert
DEMAN-BARCELO (MVP) Thierry

Have you verified that the new certificate has been well enabled?

With the command "get-exchangecertificate", you should see W in front of the new certificate.

I recently had a problem when enabling a certificate for a customer.
Using the Exchange web admin interface (/ECP), and importing the certificate has been the only solution to enable correctly the new certificate.
ASKER CERTIFIED SOLUTION
M A

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question