When reviewing a customer’s Exchange server to appraise the current state of their certificates, they saw an "unexpected" certificate on the Exchange server.
The below is an Exchange 2010 SP3 RU24 server with a repro of the issue. There was nothing wrong, but the reason for seeing the additional certificate was not readily apparent to them.
Background
The customer was looking in Exchange Management Shell and remarked that there were three certificates present. This was unexpected, because as far as they were concerned there should only be two certificates installed into the local computer certificate store.
Note that no services are assigned to the certificate, not even SMTP which loves to bind to multiple certificates.
When they looked in the certificate MMC, they saw the two certificates as expected.
So where was the third certificate coming from?
Not Really Unexpected
Where did the third certificate come from? Well, they actually had created it. Previously they had gone to renew the certificate as it was expiring.
The Exchange tools show the pending certificate, as it can completed from there. Note in the screenshot below where we look at all of the certificate properties we can see that the status of the certificate with no services bound to it was actually in a PendingRequest state.
The certificate MMC has a special place for pending certificate requests and the customer did not check this earlier.
This Certificate Enrollment Requests container is shown below:
The Exchange GUI admin tools also show the same thing as the Management Shell. Note that the last certificate states that "This is a pending certificate signing request"
Mystery solved, back to the Mystery Machine!
Cheers,
Rhoderick
Cute article! It proves one need to be on lookout for anything out of order over what IT infrastructure he/she own.
I am guessing you've changed subject data on a screenshot, otherwise too much of info about that client had leaked 🙂 Like, an HQ in the airport LOL
Cheers!
Hi Mick,
Yeah - I will have changed one. The screeen shots are all from my Tailspintoys lab so I don't leak where/who I am visiting 🙂
Cheers,
Rhoderick
Hi Rhoderick,
Not to hijack your post, but for an idea for a future post - do you have an "official" (to you at least) process for removing the old / expired Federation delegation certificates? It seems to be an undocumented thing, and just deleting the cert after it has been replaced gracefully, is not actually a graceful follow-on step.
It needs us to do things in ADSI Edit, and so as a consultant, that's never fun to have as the only option. But if a certified master such as yourself happened to blog it, suddenly things will be far more acceptable:).
Thanks for this one, and in advance if you ever decide to take me up on this!
Hi Jeremy,
I see you already went though the Docs article and provided some excellent feedback there - thank you!
https://docs.microsoft.com/en-us/exchange/renew-the-federation-certificate-exchange-2013-help
If I understand correctly, you are asking what should be done with the old cert once it has been renewed - is that correct?
Cheers,
Rhoderick