Hello all!
I have an Exchange 2010 environment hosted in house. Two certificates expired - Autodiscover.mydomain.com and transporthub.mydomain.local with SMTP assigned to it. Both of these were issued by an internal CA. I have a purchased certificate that is assigned to webmail.mydomain.com. SMTP, IMAP, POP, and IIS were assigned services to the purchased certificate. Autodiscover had no assigned services. The transport hub had SMTP assigned to it.
I made two requests for renewal using the Exchange Management GUI. I took those requests over to the CA and attempted to upload the text to the web interface. I encountered two problems in doing that. The first was the request was saved in binary and needed to be converted if I were to use the web interface to request a certificate. The second was that "Web Server" was not an available template using the web interface. I've since learned that both problems can be solved. You can convert binary requests created by Exchange to a new format using certutil and you can access the Web Server template by running Internet Explorer in Administrative Mode. I decided to use PowerShell to finish the renewal process instead.
Autodiscover renewed without any issue. The transport hub asked me if I wanted to replace the primary SMTP certificate with the one I was creating and I said no. Both certificates were handed out without further ado and I imported them into Exchange using the management console, specifically the "complete renewal request..." button. All seemed to go well. There were blue checkmarks, both had private keys assigned to them, and the expiration dates were set way into the future. Upon opening Outlook I noticed I was getting a couple errors for certificates still. The first for the new certificate and the second for the old certificate. I thought, that's probably not good. Took a day to ponder my predicament and remembered I had not deleted the old certificates out of Exchange. I remedied that problem the following morning. Opening Outlook yielded my old friend, the certificate error, but again for the OLD certificate. That confused me greatly. It was gone. Why is it still popping up?? To the internet we go! Below are the solutions I've attempted.
- Restart IIS and Microsoft Exchange Transport Hub services.
- On my computer, I opened the local certificate management console and found the old certificate under "Other People" and deleted it.
- Checked the GPO - alas, the new certificates were listed with no reference to the old ones.
- A holiday weekend came and went - error still present.
- Checked the bindings in IIS - all point to the purchased certificate.
Still got the same certificate error for the expired certificate. Totally lost, I let sit for a day while reading everything I could before attempting anything new. Today, I noticed something else had gone awry - IIS, IMAP, and POP all moved to the certificate I renewed for the transport hub. This caused our webmail site to stop functioning properly. Imagine that, huh? I distinctly remember those being assigned to the purchased certificate so I've moved them back. Webmail is back up and running. In doing this, it had also switched the primary SMTP to the renewed certificate. I made sure to select YES when prompted to move the primary SMTP back to the purchased certificate. Now, when anyone starts Outlook, it prompts a certificate error for the PURCHASED certificate, and no longer for the expired one. There's a lesson in this, and I'm not seeing it. I would love to know how it switched like that, and move it to the renewed transport hub certificate, but I don't know how. Any help would be greatly appreciated. I've been racking my head for days on this and nothing I've found has helped.
Thank you,
Phil