Strange problem when changing the Exchange 2007 certificate on Windows 2008

Still on Exchange migrations here, and after wasting half today on a very strange certificate problem, here’s the solution I eventually found.

I was changing the default self-signed Exchange 2007 cert to one generated from the local CA server. So far so normal… BUT whatever I did I could not get rid of the old certificate!

It was gone from the IIS 7 interface…

   It was not listed by the Get-ExchangeCertficate cmdlet…

      There was no sign of it in the local computer certifcate store…

But every time I attached to the server with IE I was offered that same ^%^$£$* certificate that should have been gone!

After much searching and head scratching I evenually came across this method for manually viewing and changing certs on the SSL port:

Running the command

   netsh http show sslcert

showed that, indeed, the old certificate was still bound to the port.

I then used the following command to get rid of the old one:

   netsh http delete sslcert ipport=

And finally the following command to add the new cert:

   netsh http add sslcert ipport= certhash=hash appid={00112233-4455-6677-8899-AABBCCDDEEFF}

The hash you can copy from the Thumprint value when you run a Get-ExchangeCertificate in the Exchange Command Shell.

As for the appid – I tried to find out what was supposed to go here, and in the end just used the default GUID. It worked fine.

After doing all of this the old cert was finally well and truly gone, and I could attach to Exchange 2007 using the new cert.

This all seemed rather a lot of effort, and none of the documentation I read said any of this netsh stuff would be needed – perhaps a bug with Exchange 2007 on Windows 2008?

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.

One thought on “Strange problem when changing the Exchange 2007 certificate on Windows 2008”

  1. Thank you for this! I had the same issue, in the same environment as you. However in my case I could not run the command all at once, it would give an error “You must provide a value expression on the right-hand side of the ‘-‘ operator.” To run this i had to type:
    ntesh and hit enter
    http and hit enter
    then add sslcert ipport= certhash=hash appid={00112233-4455-6677-8899-AABBCCDDEEFF}

    Thanks again!

Comments are closed.