4

“Unexpected” Exchange Certificate

When reviewing a customer’s Exchange server to appraise the current state of their certificates, they saw an "unexpected" certificate on the Exchange server.

 

The below is an Exchange 2010 SP3 RU24 server with a repro of the issue.  There was nothing wrong, but the reason for seeing the additional certificate was not readily apparent to them.

Background

The customer was looking in Exchange Management Shell and remarked that there were three certificates present.  This was unexpected, because as far as they were concerned there should only be two certificates installed into the local computer certificate store.

Exchange 2010 Management Shell Showing Three Certificates

Note that no services are assigned to the certificate, not even SMTP which loves to bind to multiple certificates.

When they looked in the certificate MMC, they saw the two certificates as expected.

Certificate MMC Showing Two Certificates

So where was the third certificate coming from?

 

Not Really Unexpected

Where did the third certificate come from?  Well, they actually had created it.  Previously they had gone to renew the certificate as it was expiring.

The Exchange tools show the pending certificate, as it can completed from there.  Note in the screenshot below where we look at all of the certificate properties we can see that the status of the certificate with no services bound to it was actually in a PendingRequest state.

Exchange 2010 Management Shell Showing Certificate With Pending Status

The certificate MMC has a special place for pending certificate requests and the customer did not check this earlier.

This Certificate Enrollment Requests container is shown below:

Certificate MMC Showing Certificate With Pending Status

 

The Exchange GUI admin tools also show the same thing as the Management Shell.  Note that the last certificate states that "This is a pending certificate signing request"

Exchange MMC Showing Certificate With Pending Status

 

Mystery solved, back to the Mystery Machine!

 

Cheers,

Rhoderick

 

 

Rhoderick Milne [MSFT]

4 Comments

  1. Cute article! It proves one need to be on lookout for anything out of order over what IT infrastructure he/she own.

    I am guessing you've changed subject data on a screenshot, otherwise too much of info about that client had leaked 🙂 Like, an HQ in the airport LOL

    Cheers!

  2. Hi Mick,

    Yeah - I will have changed one. The screeen shots are all from my Tailspintoys lab so I don't leak where/who I am visiting 🙂

    Cheers,
    Rhoderick

  3. Hi Rhoderick,
    Not to hijack your post, but for an idea for a future post - do you have an "official" (to you at least) process for removing the old / expired Federation delegation certificates? It seems to be an undocumented thing, and just deleting the cert after it has been replaced gracefully, is not actually a graceful follow-on step.
    It needs us to do things in ADSI Edit, and so as a consultant, that's never fun to have as the only option. But if a certified master such as yourself happened to blog it, suddenly things will be far more acceptable:).

    Thanks for this one, and in advance if you ever decide to take me up on this!

Leave a Reply

Your email address will not be published. Required fields are marked *