Outlook sees the old certificate.

Андрей Михалевский 3,451 Reputation points
2022-04-14T07:50:15.91+00:00

Hi. Outlook 2019. Exchange 2019 on-premise. 1 Mailbox server.

I updated the certificate and Outlook still sees the old one.

192897-certold.png

What is the problem? OWA sees the new certificate. https://mail.autorls.com/owa

[PS] C:\scripts>Get-ExchangeCertificate | fl  
  
  
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessContr  
                     ol.CryptoKeyAccessRule}  
CertificateDomains : {*.autorls.com, autorls.com}  
HasPrivateKey      : True  
IsSelfSigned       : False  
Issuer             : CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB  
NotAfter           : 23.03.2023 2:59:59  
NotBefore          : 22.03.2022 3:00:00  
PublicKeySize      : 2048  
RootCAType         : ThirdParty  
SerialNumber       : 2D611F40B3D4CEB1DD3464298CA9468B  
Services           : IIS, SMTP  
Status             : Valid  
Subject            : CN=*.autorls.com  
Thumbprint         : 350E8FCF60F20E073FFD85C171E874EA21D43082  

[PS] C:\scripts>.\GetExchangeURLs.ps1 -Server dtm-autorls-ex  
  
Outlook Anywhere  
 - Internal: mail.autorls.com  
 - External: mail.autorls.com  
  
  
Outlook Web App  
 - Internal: https://mail.autorls.com/owa  
 - External: https://mail.autorls.com/owa  
  
  
Exchange Control Panel  
 - Internal: https://mail.autorls.com/ecp  
 - External: https://mail.autorls.com/ecp  
  
  
Offline Address Book  
 - Internal: https://mail.autorls.com/OAB  
 - External: https://mail.autorls.com/OAB  
  
  
Exchange Web Services  
 - Internal: https://mail.autorls.com/EWS/Exchange.asmx  
 - External: https://mail.autorls.com/EWS/Exchange.asmx  
  
  
MAPI  
 - Internal: https://mail.autorls.com/mapi  
 - External: https://mail.autorls.com/mapi  
  
  
ActiveSync  
 - Internal: https://mail.autorls.com/Microsoft-Server-ActiveSync  
 - External: https://mail.autorls.com/Microsoft-Server-ActiveSync  
  
Autodiscover  
 - Internal SCP: https://mail.autorls.com/Autodiscover/Autodiscover.xml  

193022-certecp.png

There is only a new certificate in the system:

192977-certsystem.png

Default Web Site also has a new certificate. Exchange Back End by Default, Microsot Exchange

  • I tried connecting from different computers. Re-created the profile. It doesn't work. I don't understand why Outlook sees the old certificate. It's not there anywhere. What could be the problem?
Exchange | Exchange Server | Management
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 158K Reputation points MVP Volunteer Moderator
    2022-04-14T12:13:16.53+00:00

    HI, can you renew the certificate on the root domain?

    If not you can bypass it with a registry setting
    https://support.microsoft.com/en-us/topic/outlook-2016-and-outlook-2013-hang-when-a-user-tries-to-create-a-profile-b808efa8-ecba-ed1a-1f8e-e3816ae35117

    Outlook 2016: Exclude the root domain from Autodiscover lookup in Outlook
    Important Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

    To prevent Outlook 2016 from using the root domain of the user's SMTP address to locate the Autodiscover service, set the ExcludeHttpsRootDomain registry subkey to a value of 1. To do this, follow these steps:

    Open Registry Editor.

    Locate and then click the following registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Autodiscover

    On the Edit menu, point to New, and then click DWORD Value.

    Type ExcludeHttpsRootDomain, and then press Enter.

    On the Edit menu, click Modify, type 1 in the Value data box, and then click OK.

    Exit Registry Editor.

    Or with a Group Policy:

    https://learn.microsoft.com/en-us/outlook/troubleshoot/profiles-and-accounts/how-to-control-autodiscover-via-group-policy

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.