After renewing the certificate for Exchange Server 2013 and Exchange Server 2016 (think also for Exchange 2010), the following event occurs after restarting the IIS server:
[OWA] Failed to load SSL certificate
Logging in to OWA or ECP is then no longer possible, only an error page appears after entering the user name and password
The background is as follows: The Exchange certificate is bound using the fingerprint on the certificate. When the certificate is renewed, the private key remains unchanged, but the fingerprint changes:
After renewing the certificate, the IIS is basically without the certificate, which can be fixed via the Exchange Shell. First display the certificates (here you will notice that the self-signed certificate that is created during installation is supposedly bound to the IIS)
Get-ExchangeCertificate | fl subject,services,thumb*
The thumbprint of the corresponding certificate is now required for the following command:
Enable-ExchangeCertificate -Thumbprint -Services IIS,SMTP,POP,IMAP
This means that the renewed certificate is bound to the IIS again.
The second command also prompts whether the certificate should be replaced; the old fingerprint of the certificate is still displayed here. Hence the error mentioned above. After the certificate has been assigned, it is best to restart the IIS and check whether the logon works again. The message in the event log has disappeared.
This was very helpful. This was the exact command I needed to get my ECP and OWA responsive again. Thanks!
Danke für den Tipp!
Ich bin schon seit Stunden am Suchen, habe auch schon sämtliche Zerts auf Gültigkeit überprüft. Aber auf die Idee, dass die Bindung wegen des geänderten Fingerprints verloren geht, wäre ich nie gekommen:-(
Das Problem müssen doch eigentlich alle Exchange-SSL-OWA-Betreiber haben. Warum gibt MS dafür nicht einen KB-Artikel ‚raus? Oder bin ich nur zu blöd zum googeln?
Nochmals vielen Dank und schönes Rest-Wochenende, Gruß
– Thomas