Exchange certificate problem

bremen1874 · 4 Jul 2019 at 12:26

I've got an SBS2011 server running Exchange 2010. It's going to be replaced soon, but I can't get rid of it yet.

We've identified a problem where Exchange isn't using the certificate we thought it was. In the EMC it looks like this:

It should be using the COMODO certificate but appears to be using the local certificate at the top of the list instead.

This was highlighted by a PCI DSS scan and confirmed by testing using checktls.com.

Any pointers on how to fix this? My Exchange knowledge is very surface and I don't want to break something I don't know how to fix.

The test SBS 2011 box I set up for comparison doesn't have this problem.

bremen1874 · 4 Jul 2019 at 15:02

When I tried that it wouldn't let me. Something related to the internal transport.

From reading around this may be a priority issue. Unfortunately, I don't know how to check this, or how to change it if I need to.

bremen1874 · 4 Jul 2019 at 16:12

I've seen that and looked at it.

The service (SMTP) is already assigned to the COMODO certificate. Should I remove SMTP from that certificate and then add it back in as a separate operation?

bremen1874 · 4 Jul 2019 at 16:59

They're both valid.

For some reason, it's using the self-signed certificate externally instead of the COMODO certificate.

bremen1874 · 5 Jul 2019 at 01:11

I think I've fixed it by removing the self-signed certificate completely.

Nothing appears to be broken and external diagnostics such as CheckTLS are now showing the correct certificate in use.

I was trying to remove services from the self-signed certificate, but from what I've found that isn't possible and you can only assign them.