2

I have a problem with strange behavior of IIS 8.5. The server hosts Exchange with configured SSL of course. The problem started when I replaced an intermediate certificate of StartCom from SHA1 to SHA2. It works on all my resources but not only this Exchange server. What I did: i've removed the old SHA1 intermediate certificate from the cert store, downloaded proper certificate from StartСom, rebinded web sites and rebooted the server. It did not help. When I open the web site on the server it works, but remotely the server has kept sending the old sertficate SHA1. I checked that there is no any certificate with this serial number on the server. I dug the internet and found similar problem IIS sends incorrect intermediate SSL certificate The guy had the same issue. But unfortunately, no one solution didn't help me. My server returns wrong intermediate certificate which doesn't exist on the server even. Somebody know if there is a way to get IIS to build cert chain with specific certificates? Thanks.

Community
  • 1
Dreem2001
  • 21
  • 1

2 Answers2

1

Does the new Certificate have a intermediate ? if so make sure you have it import correct.

Go in Exchange Admin Center then Server and Certificates tab then Edit the Services need. (IIS)

Kevin Roberts
  • 136
  • 9
  • I'm sure that the intermediate certificate was imported correctly. My certificate was not changed because StartSSL re-keyed intermediate certificate. When I open my certificate in mmc I see correct chain with the same new intermediate cert with new expiration date and serial, but when I open certificate which was sent to me by IIS from my site I see old intermediate cert. Exchange works normally but the red shield annoys me. – Dreem2001 Sep 28 '15 at 09:43
0

Was your SSL certificate actually signed by this new intermediate cert? If you haven't rekeyed the certificate with your CA, it will still have the old intermediate in it's chain.

If you did generate a new certificate you may need to reboot the IIS server. I've seen where IIS cache's the certificate chain and rebooting fixes the issue.

Bad Dos
  • 643
  • 3
  • 9
  • Is it possible to make sure what intermediate certificate is the proper certificate (serial, thumbprint or something else) for my certificate? Actually, I didn't rekey different certificates from StartSSL and they work properly after replacing intermediate certificate in certification store on all servers. Reboot doesn't help for my Exchange. But it's correct - I had to reboot every server after replacing intermediate cert. – Dreem2001 Sep 28 '15 at 09:47
  • Your CA should be able to tell you what Intermediate to use and how to install/configure it. Contact their support. – Bad Dos Sep 28 '15 at 20:21