Link to home
Start Free TrialLog in
Avatar of Peter Williams
Peter WilliamsFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Q1 Does a dedicated Exchange server require multiple SSL certificates?

Recently taken over support for an educational customer.


SSL cert expired yesterday on exchange 2013 mail running on a 2016 server 

Created CSR and obtained new certificate and installed OK


Deleted old certificate and set SMTP, IPAP, POP and IIS services for new certificate in EAC


Now have SSL "Not Secure" errors on both OWA and Outlook - Outlook 2013 fails to connect'


MS Remote connectivity Analyser shows " A certificate chain couldn't be constructed for the certificate."


Using MMC  I find there are multiple valid certificates installed on the server 


Q1 Does a dedicated Exchange server require multiple SSL certificates?

Q2 Does the "Intended Purposes" of the new certificate need to include "Client Authentication"?

Q3 How do I fix the SSL chain issue?


SOLUTION
Avatar of M A
M A
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Peter Williams

ASKER

Correction:
MS Remote connectivity Analyser shows old certificate expiry date.

Open in new window


-->Q1 Does a dedicated Exchange server require multiple SSL certificates?
No

Am I safe to delete all the other certificates?
Please check the configuration of IIS as commented above.
i.e. New certificate should be enabled on IIS.

-->Am I safe to delete all the other certificates?
No not now. You have to change the certificate in use first.

You should have the following certificates in server.
User generated image
Current certs as listed
User generated image
IIS Server Certificates
User generated image
New Cert shows in IIS assume this means it is enabled?
Default Web Site and Exchange Backend Bindings point to new Cert.
-->Default Web Site and Exchange Backend Bindings point to new Cert.
No. Please check the above article and assign certifiacte accordingly
Q1 Does a dedicated Exchange server require multiple SSL certificates?

No.

Not for incoming SMTP or outgoing SMTP or IMAP.

Q2 Does the "Intended Purposes" of the new certificate need to include "Client Authentication"?

Unsure what "Client Authentication" might mean.

SMTP in/out can be Private CA certs + I use free https://LetsEncrypt.org certs for all certs, as this keeps certs simple.

For IMAP, you'll wrap either 1x host or multiple hosts with real certs... LetsEncrypt or other... to avoid users being constantly prompted about accepting suspicious certs or other cryptic messages... depending on client being used...

Q3 How do I fix the SSL chain issue?

You generate a valid cert.... either Private CA cert or paid cert of https://LetsEncrypt.org free cert, then use the correct chain file.

For example, with https://LetsEncrypt.org free certs you'll use the fullchain.pem file which includes the final cert + all intermediate certs.
The TrustCor Premium DV cert download says:

"Includes all the necessary certificates in one file. This format includes the intermediary CA certificate(s) and is supported by popular web servers for the easiest integration."


MS Exchange SSL test says:
The certificate chain has errors. Chain status = NotTimeValid
Apple Mail says:
Expired 09/10/2021

Seems to have retained the old cert info despite the new cert installed....
Please run the following command and make sure IIS is enabled on the 3rd party certificate.
Get-ExchangeCertificate | fl notafter,services,issuer

Open in new window

 Shows 3rd party certificate :

NotAfter : 09/10/2022 17:38:15
Services : IMAP, POP, SMTP
Issuer   : CN=TrustCor DV SSL CA - G2 - RSA, O=TrustCor Systems S. de R.L., C=PA

NotAfter : 04/05/2026 16:41:26
Services : SMTP, Federation
Issuer   : CN=Federation

NotAfter : 24/02/2022 23:59:59
Services : SMTP
Issuer   : CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB

NotAfter : 04/10/2025 11:13:06
Services : IMAP, POP, SMTP
Issuer   : CN=Mail

NotAfter : 06/04/2024 15:50:45
Services : IMAP, POP, IIS, SMTP
Issuer   : CN=Mail

NotAfter : 10/03/2024 11:46:23
Services : SMTP
Issuer   : CN=Microsoft Exchange Server Auth Certificate

NotAfter : 06/04/2024 12:44:52
Services : IIS, SMTP
Issuer   : CN=Mail01

NotAfter : 03/04/2029 11:44:28
Services : None
Issuer   : CN=WMSvc-MAIL01


You have to enable IIS on the 3rd party certificate.
Please follow my article posted in my 1st comment.
Sorry - do not understand (or can find) "You have to enable IIS on the 3rd party certificate."
Read from here till end of the article.
User generated image
Normal usage of Exchange needs several certificates:

A least one public certificate is needed for the default IIS on port 443, and all normal usages with clients and SMTP
=> This certificate is generally bought (with the name autodiscover, and the name selected for user access)

The default certificate named "Exchange" is created by Microsoft and needed for Exchange Backend on port 443 and internal SMTP.
=> this certificate (not trusted) lasts 5 years, and can be renewed

The Federation certificated is needed and updated if Hybrid assistant is used.

Generally, don't remove certificates generated by the system as this one: CN=WMSvc-MAIL01
Hi MAS,

IIS is/was already enabled for the new cert. - Had used EAC to enable but checked using EMS as deccribed.

Still showing old cert date using OWA and vis Apple Mail

Any suggestions?
Have you restarted IIS ?

"iisreset -restart"
Yes - to no effect - still showing expired Cert
Have you verified that the new certificate has been well enabled?

With the command "get-exchangecertificate", you should see W in front of the new certificate.

I recently had a problem when enabling a certificate for a customer.
Using the Exchange web admin interface (/ECP), and importing the certificate has been the only solution to enable correctly the new certificate.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial