On my Exchange server, I have two CAS servers in a CAS NLB array. I need to install a 3rd party SAN/UCC certificate on both of these servers for OWA. I generated the request on CAS1, submitted to a public CA and installed it on the CAS1 server. I didn’t generate a CSR on the CAS2 server. I exported the certificate out of CAS1 (with the private key) went to the CAS2 server and imported it into CAS2. The certificate shows as installed on CAS2. Problem is that EMC reports “The certificate is invalid for Exchange server usage” and it shows a red “X” next to the certificate in the EMC.
I’ve tried using both the certificates MMC and EMC to export it from CAS1 and using both to import it into the CAS2 server but no luck. I’ve tried removing the certificate using both EMC and the certificates MMC but when I import it back in I still get the same results. I’ve even restored the complete server from backup to a previous state before I started the certificate import process but I got the same results. Because I’ve gotten the same results after a restore, I’m concerned that something else is wrong here. I can double-click on the certificate in the EMC and in the certificate MMC and both report that the certificate as valid so the trusted root is working.
I wanted to rebuild the local server certificate store but I would think that a complete restore of a server would return the local server certificate store to the previous state. Is there any certificate metadata maintained in AD for a computer object or more specifically for Exchange server objects? Is there anywhere that I can look to figure out why Exchange 2010 SP3 UR2 is reporting that a certificate is valid on one CAS NLB array node but not valid on an identical node?
