Share via

Certificate problem

Андрей Михалевский 2,846 Reputation points
2024-07-01T11:53:32.65+00:00

Hi. Exchange 2019-on premise. I got problem in lab.

1

I don't understand why the client sees this certificate. I did reissue it because the ECP said it was expired.

EX01: Default WEB Site, no problem:

2

Back END:

3

EX02:

4

5

  1. Why is the client accessing the computer's certificate ?
  2. Could you please explain on the standard certificates? Which services should they belong to? Microsoft Exchange Server Auth Certificate, WMSVC-SHA2, Microsoft Exchange

6

7

8

9

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,498 questions
0 comments
Accepted answer
  1. Jake Zhang-MSFT 3,105 Reputation points Microsoft Vendor
    2024-07-02T02:33:46.48+00:00

    Hi @Андрей Михалевский,

    Welcome to the Microsoft Q&A platform!

    Based on your description, you are currently experiencing issues with certificate requests in your environment.

    1. For the question of "Why is the client accessing the computer's certificate?", if the client is seeing an unexpected certificate, it usually comes down to a few potential reasons:

    (1) If the certificate expired and was reissued, make sure the new certificate is properly bound to all necessary services.

    (2) Make sure the correct certificate is assigned to the correct service. In your environment, you need to assign the primary SSL/TLS certificate to IIS, SMTP, and any other related services.

    1. Regarding "standard certificates", here is a breakdown of the services that typically use standard certificates:

    (1) Microsoft Exchange Server Authentication Certificate:

    • Purpose: This certificate is used for OAuth authentication between Exchange servers and other Microsoft services.
    • Service: Primarily used for server-to-server authentication. It does not interact directly with client connections.

    (2) WMSVC-SHA2:

    • Purpose: This is usually related to the Web Management Service (WMSvc) of IIS.
    • Service: Used for managing Web servers and secure remote management.

    (3) Microsoft Exchange:

    • Purpose: This is usually the primary SSL/TLS certificate used for a variety of services, including OWA (Outlook Web App), ECP (Exchange Control Panel), and Autodiscover.
    • Service: Assigned to services such as IIS, SMTP, POP, and IMAP.
    1. I saw in your other case that you mentioned that you have checked IIS and the assigned services. However, when the client requests an invalid or unexpected certificate, it may cause problems even if IIS and the service assignment appear to be correct. Here are some possible reasons:

    (1) Sometimes, the client caches old certificates and continues to use them even after installing a new certificate. Clear the client's cache and try to reconnect.

    (2) Make sure there are not multiple bindings with different certificates on the same port. For example, in IIS, check the binding for HTTPS and make sure the correct certificate is selected.

    (3) If the DNS entry or Autodiscover settings are not set correctly, the client may be directed to the wrong service endpoint, which may display a different certificate.

    (4) After making changes, you must restart all related Exchange and IIS services to ensure that the new settings take effect.

    (5) Make sure that the intermediate certificates in the certificate chain are correctly installed on the server. Missing intermediate certificates may cause the client to consider the certificate invalid.

    (6) Make sure that the server is configured to support the correct SSL/TLS protocols and that the client is compatible with these protocols. Protocol mismatches may cause certificate errors.

    Please feel free to contact me if you have any queries.

    Best,

    Jake Zhang

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest