Exchange certificate problem

bremen1874 · 4 Jul 2019 at 12:26

I've got an SBS2011 server running Exchange 2010. It's going to be replaced soon, but I can't get rid of it yet.

We've identified a problem where Exchange isn't using the certificate we thought it was. In the EMC it looks like this:

It should be using the COMODO certificate but appears to be using the local certificate at the top of the list instead.

This was highlighted by a PCI DSS scan and confirmed by testing using checktls.com.

Any pointers on how to fix this? My Exchange knowledge is very surface and I don't want to break something I don't know how to fix.

The test SBS 2011 box I set up for comparison doesn't have this problem.

Throrik · 4 Jul 2019 at 14:42

You should in theory just be able to unassign the SMTP service from the top certificate and it will start working as the COMODO certificate has both IIS and SMTP Services enabled on it.

bremen1874 · 4 Jul 2019 at 15:02

When I tried that it wouldn't let me. Something related to the internal transport.

From reading around this may be a priority issue. Unfortunately, I don't know how to check this, or how to change it if I need to.

#Chri5# · 4 Jul 2019 at 16:07

If you go into the EMC, click Server Configuration on the left tree - there should be an option on the right menu for Assigning Services to Certificate.

Screenshots : https://practical365.com/exchange-s...certificate-to-exchange-server-2010-services/

You can also do it view PowerShell as well.

bremen1874 · 4 Jul 2019 at 16:12

I've seen that and looked at it.

The service (SMTP) is already assigned to the COMODO certificate. Should I remove SMTP from that certificate and then add it back in as a separate operation?

Throrik · 4 Jul 2019 at 16:54

Is this other certificate running SMTP still valid?

bremen1874 · 4 Jul 2019 at 16:59

They're both valid.

For some reason, it's using the self-signed certificate externally instead of the COMODO certificate.

bremen1874 · 5 Jul 2019 at 01:11

I think I've fixed it by removing the self-signed certificate completely.

Nothing appears to be broken and external diagnostics such as CheckTLS are now showing the correct certificate in use.

I was trying to remove services from the self-signed certificate, but from what I've found that isn't possible and you can only assign them.