IIS 7 Still Serving old SSL Certificate. First a couple points that are probably the same for you I was trying to update a certificate because it has expired. I have multiple domains bound to the same IP. They happen to be a SAN certificate but thats probably irrelevant. Install Ssl Certificate On Iis7 Redirect' title='Install Ssl Certificate On Iis7 Redirect' />I was trying to use the centralized certificate store. Again I think this is irrelevant to most of my answer. This certificate cannot be verified up to a trusted certification authority from a website hosted on iis7. When browsing. I recently had to do some updating to my IIS7. WSUS and Exchange 2010 Web Services. After finally getting autodiscover to work, I can no. NetoMeter Screencasts And Video Tutorials. How to Install a Lets Encrypt SAN Certificate in Exchange 2016 How to Install Exchange 2016 on Server 2012 R2. The article describes how to redirect HTTP to HTTPS using URL Redirect 2. IIS 7. Very simple easy to follow stepbystep manual. In this tutorial I will demonstrate how to enable and configure Exchange Server 2010 Outlook Anywhere to provide secure mailbox connectivity for remote Outlook users. The updated version of this Screencast is available here. In this Screencast, we will show you how to renew an existing Exchange 2010 SSL certificate. Install Ssl Certificate On Iis7 Redirect' title='Install Ssl Certificate On Iis7 Redirect' />I had already attempted to update the certificate but it wasnt showing the new date. Youre probably in a panic right now if your old certificate already expired. Take a deep breath. First Id recommend strongly going to https www. Digi. Cert tool. You can also use it online. Enter in your website https example. MS calls the certificate hash. It does a realtime lookup so you dont have to worry whether or not your browser or intermediate server is caching something. If youre using the centralized certificate store youll want to be 1. C WEBSITESSSL certutil dump www. This will show you the expiration date and hashthumbprint. Dragon Ball Z Budokai Tenkaichi 3 Pc Download Excel For Mac. Obviously if this expiration date is wrong you probaly just exported the wrong certifcate to the filesystem so go and fix that first. If you are using the CCS then assuming this certutil command gives you the expected expiration date of your updated certificate you can proceed. Run the command netsh http show sslcert c tempcertlog. You likely have a lot of stuff in here so its easier to open it up in a text editor. Youll want to search this file for the WRONG hash that you got from digicert. Chrome. For me this yielded the following. Youll see it is bound to an IP and not my expected domain name. This is the problem. It seems that this for whatever reason Im not sure takes precedence over the binding set in IIS that I just updated for example. IP port 1. Certificate Hash d. Application ID 4dc. Certificate Store Name My. Verify Client Certificate Revocation Enabled. Verify Revocation Using Cached Client Certificate Only Disabled. Usage Check Enabled. Revocation Freshness Time 0. URL Retrieval Timeout 0. Ctl Identifier null. Ctl Store Name null. DS Mapper Usage Disabled. Negotiate Client Certificate Disabled. I dont even know where this binding came from I dont even have any SSL bindings on my default site but this server is a few years old and I think something just got corrupted and stuck. So youll want to delete it. To be on the safe side youll want to run the following comand first to be sure youre only deleting this one item C Windowssystem. SSL Certificate bindings. Verify Revocation Using Cached Client Certificate Only Disabled. Usage Check Enabled. Revocation Freshness Time 0. URL Retrieval Timeout 0. Ctl Identifier null. Ctl Store Name null. DS Mapper Usage Disabled. Negotiate Client Certificate Disabled. Now weve verified this is the bad thumbprint, and expected single record we can delete it with this command C Windowssystem. SSL Certificate successfully deleted. Hopefully if you now go back to Digicert and re run the command it will give you the expected certificate thumbprint. You should check all SAN names if you have any just to be sure. Probably want to IISRESET here to be sure no surprises later. Final note If youre using the centralized certificate store and youre seeing erratic behavior trying to even determine if it is picking up your certificate from there or not dont worry its not your fault. It seems to sometimes pick up new files immediately, but cache old ones. Opening and resaving the SSL binding after making any kind of change seems to reset it but not 1. Outlook 2. 00. 7 Certificate Error Elan Shudnows Blog. When importing a new certificate into Exchange 2. Outlook 2. 00. 72. I have included a screenshot of the error I encountered with Outlook 2. When you choose the View Certificate button, it brings up another window that shows you what certificate is in error. In this case, the certificate name is mail. So the million dollar question Why the error Well, when we install a new certificate, there are a few tasks we want to do. Obviously, we install the certificate for a purpose. This purpose is till allow us to use Exchange services securely. So how do we enable Exchange to use these services If you are planning to do a very simple configuration and do not care about external Autodiscover access, you do not need to use a Unified Communication Certificate. You can read more about these certificates in one of my other articles here. So lets say we have a simple regular common certificate. A certificate with a Common Name CN of mail. We install this certificate onto our Exchange box with its private key. In our case we were migrating so we did not have to request a certificate via IIS. We just exported it with its private key and imported onto the new box. We then assigned this certificate to IIS. Now I went to the Exchange Management Shell and enabled Exchange services to use this certificate. In order to do this, you must run the following commands Get Exchange. Certificate. Thumbprint Services Subject BCF9. F2. C3. D2. 45. E2. AB5. 89. 5C3. 7D8. D9. 14. 50. 3D1. 62. E9 SIP. W CNmail. What I did was go ahead and enable all new services to use every available service by using the following command Enable exchangecertificate services IMAP, POP, UM, IIS, SMTP Thumbprint BCF9. F2. C3. D2. 45. E2. AB5. 89. 5C3. 7D8. D9. 14. 50. 3D1. 62. E9. The next step would be to ensure the Autodiscover. Internal. URI is pointed to the CAS that will be your primary CAS for Autodiscover servicing. Get Client. Access. Server Identity CASServer FL Auto. Discover. Service. Internal. Uri https casnetbiosnameAutodiscoverAutodiscover. See the issue here We are not using a UC certificate that contains the names, casnetbiosname, casnetbiosname. Since the Autodiscover directory in IIS will be requring SSL encryption, the url specified in the Auto. Discover. Service. Internal. URI must match what is specified in your certificate. You must also ensure there is a DNS record that allows mail. CAS. We should re configure the Auto. Discover. Service. Internal. URI by using the following command Set Client. Access. Server Identity CASServer Auto. Discover. Service. Internal. Uri https mail. AutodiscoverAutodiscover. We now need to go configure all the Internal. URLs for each web distributed service. If you are going to be utilizing the Autodiscover service from the outside or for non domain joined clients, you may want to configure an External. URL in addition to your Internal. URL. Here is the reason why we were receiving the certificate errors. Your Internal. URLs most likely are not using mail. Your Internal. URLs are most likely pointed to something such as https casnetbiosnameService. URL which will fail since this is not the CN of your simple certificate. You can run the following commands to fix your internal. URLs so your Outlook 2. Set Web. Services. Virtual. Directory Identity CASServerEWS Default Web Site Internal. URL https mail. EWSExchange. Basic. Authentication true. Set OABVirtual. Directory Identity CASServerOAB Default Web Site Internal. URL https mail. OABNote You must ensure that you enable SSL on the OAB directory in IIS which is not on by default. The above command will only enable SSL, but will not ensure 1. SSL is required. Enable Outlook. Anywhere Server CASServer External. Hostname mail. shudnow. Client. Authentication. Method Basic SSLOffloading False. Note The above Enable Outlook. Anywhere command works on SP1. For RTM, substitute Client. Authentication. Method with External. Authentication. Method. Set Active. Sync. Virtual. Directory Identity CASServerMicrosoft Server Active. Sync Default Web Site External. URL https mail. Microsoft Server Activesync. Set UMVirtual. Directory Identity CASServerUnified. Messaging Default Web Site Internal. URL https mail. Unified. MessagingService. Basic. Authentication true. Note The above Set UMVirtual. Directory command is not needed in Exchange 2. Exchange 2. 01. 0 no longer contains a Unified. Messaging virtual directory and instead uses the Web Services Virtual Directory. Elan Shudnow Aug. Exchange, Exchange 2.