Outlook sees the old certificate.

Question

Hi. Outlook 2019. Exchange 2019 on-premise. 1 Mailbox server.

I updated the certificate and Outlook still sees the old one.

What is the problem? OWA sees the new certificate. https://mail.autorls.com/owa

[PS] C:\scripts>Get-ExchangeCertificate | fl  
  
  
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessContr  
                     ol.CryptoKeyAccessRule}  
CertificateDomains : {*.autorls.com, autorls.com}  
HasPrivateKey      : True  
IsSelfSigned       : False  
Issuer             : CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB  
NotAfter           : 23.03.2023 2:59:59  
NotBefore          : 22.03.2022 3:00:00  
PublicKeySize      : 2048  
RootCAType         : ThirdParty  
SerialNumber       : 2D611F40B3D4CEB1DD3464298CA9468B  
Services           : IIS, SMTP  
Status             : Valid  
Subject            : CN=*.autorls.com  
Thumbprint         : 350E8FCF60F20E073FFD85C171E874EA21D43082  

[PS] C:\scripts>.\GetExchangeURLs.ps1 -Server dtm-autorls-ex  
  
Outlook Anywhere  
 - Internal: mail.autorls.com  
 - External: mail.autorls.com  
  
  
Outlook Web App  
 - Internal: https://mail.autorls.com/owa  
 - External: https://mail.autorls.com/owa  
  
  
Exchange Control Panel  
 - Internal: https://mail.autorls.com/ecp  
 - External: https://mail.autorls.com/ecp  
  
  
Offline Address Book  
 - Internal: https://mail.autorls.com/OAB  
 - External: https://mail.autorls.com/OAB  
  
  
Exchange Web Services  
 - Internal: https://mail.autorls.com/EWS/Exchange.asmx  
 - External: https://mail.autorls.com/EWS/Exchange.asmx  
  
  
MAPI  
 - Internal: https://mail.autorls.com/mapi  
 - External: https://mail.autorls.com/mapi  
  
  
ActiveSync  
 - Internal: https://mail.autorls.com/Microsoft-Server-ActiveSync  
 - External: https://mail.autorls.com/Microsoft-Server-ActiveSync  
  
Autodiscover  
 - Internal SCP: https://mail.autorls.com/Autodiscover/Autodiscover.xml  

There is only a new certificate in the system:

Default Web Site also has a new certificate. Exchange Back End by Default, Microsot Exchange

• I tried connecting from different computers. Re-created the profile. It doesn't work. I don't understand why Outlook sees the old certificate. It's not there anywhere. What could be the problem?

Answer 1

HI, can you renew the certificate on the root domain?

If not you can bypass it with a registry setting
https://support.microsoft.com/en-us/topic/outlook-2016-and-outlook-2013-hang-when-a-user-tries-to-create-a-profile-b808efa8-ecba-ed1a-1f8e-e3816ae35117

Outlook 2016: Exclude the root domain from Autodiscover lookup in Outlook
Important Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

To prevent Outlook 2016 from using the root domain of the user's SMTP address to locate the Autodiscover service, set the ExcludeHttpsRootDomain registry subkey to a value of 1. To do this, follow these steps:

Open Registry Editor.

Locate and then click the following registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Autodiscover

On the Edit menu, point to New, and then click DWORD Value.

Type ExcludeHttpsRootDomain, and then press Enter.

On the Edit menu, click Modify, type 1 in the Value data box, and then click OK.

Exit Registry Editor.

Or with a Group Policy:

https://learn.microsoft.com/en-us/outlook/troubleshoot/profiles-and-accounts/how-to-control-autodiscover-via-group-policy