Strange problem when changing the Exchange 2007 certificate on Windows 2008

Still on Exchange migrations here, and after wasting half today on a very strange certificate problem, here’s the solution I eventually found.

I was changing the default self-signed Exchange 2007 cert to one generated from the local CA server. So far so normal… BUT whatever I did I could not get rid of the old certificate!

It was gone from the IIS 7 interface…

   It was not listed by the Get-ExchangeCertficate cmdlet…

      There was no sign of it in the local computer certifcate store…

But every time I attached to the server with IE I was offered that same ^%^$£$* certificate that should have been gone!

After much searching and head scratching I evenually came across this method for manually viewing and changing certs on the SSL port: http://technet.microsoft.com/en-us/library/cc727844.aspx

Running the command

   netsh http show sslcert

showed that, indeed, the old certificate was still bound to the port.

I then used the following command to get rid of the old one:

   netsh http delete sslcert ipport=0.0.0.0:443

And finally the following command to add the new cert:

   netsh http add sslcert ipport=0.0.0.0:443 certhash=hash appid={00112233-4455-6677-8899-AABBCCDDEEFF}

The hash you can copy from the Thumprint value when you run a Get-ExchangeCertificate in the Exchange Command Shell.

As for the appid – I tried to find out what was supposed to go here, and in the end just used the default GUID. It worked fine.

After doing all of this the old cert was finally well and truly gone, and I could attach to Exchange 2007 using the new cert.

This all seemed rather a lot of effort, and none of the documentation I read said any of this netsh stuff would be needed – perhaps a bug with Exchange 2007 on Windows 2008?