When reviewing a customer’s Exchange server to appraise the current state of their certificates, they saw an "unexpected" certificate on the Exchange server.
The below is an Exchange 2010 SP3 RU24 server with a repro of the issue. There was nothing wrong, but the reason for seeing the additional certificate was not readily apparent to them.
The customer was looking in Exchange Management Shell and remarked that there were three certificates present. This was unexpected, because as far as they were concerned there should only be two certificates installed into the local computer certificate store.
Note that no services are assigned to the certificate, not even SMTP which loves to bind to multiple certificates.
When they looked in the certificate MMC, they saw the two certificates as expected.
So where was the third certificate coming from?
Not Really Unexpected
Where did the third certificate come from? Well, they actually had created it. Previously they had gone to renew the certificate as it was expiring.
The Exchange tools show the pending certificate, as it can completed from there. Note in the screenshot below where we look at all of the certificate properties we can see that the status of the certificate with no services bound to it was actually in a PendingRequest state.
The certificate MMC has a special place for pending certificate requests and the customer did not check this earlier.
This Certificate Enrollment Requests container is shown below:
The Exchange GUI admin tools also show the same thing as the Management Shell. Note that the last certificate states that "This is a pending certificate signing request"
Mystery solved, back to the Mystery Machine!