All, When users connect externally via Outlook Anywhere they receive a certificate warning stating that the certificate has expired. When I view the certificate it has in fact expired. If the users connect to OWA or internally to Exchange everything works fine and I notice the user is pulling the correct cert. However, I cannot locate the cert that Outlook anywhere is using in order to renew or replace it. Does anyone know where this cert is located and how to replace it?

Run - Mmc File Add or Remove Snapin -- Certificates - Click ok . Computer Account --- You should see it in Trusted and Personal ContainersSatheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you

This would be on the Exchange 2010 CAS server...correct? I see the correct cert that is not expired. However, I do not see the cert that users are picking up when connecting externally via Outlook anywhere.

See what Get-ExchangeCertificate |fl returns on your Exch server, do this on the CAS ServerSukh

Hi, Please try to run get-outlookprovider -expr |fl to check the certificate name. Then please run get-exchangecertificate |fl to try to find the certificate. Renew an Exchange Certificate http://technet.microsoft.com/en-us/library/ee332322.aspx Note: After you generate a certificate request, you must submit it to a certification authority, obtain a signed certificate and install the certificate on the same server. For details, see Obtain a Server Certificate from a Certification Authority and Install an SSL Certificate on a Client Access Server. Xiu Zhang TechNet Community Support

I have run both get-outlookprovider -expr |fl and get-exchangecertificate |fl. Running these commands did not locate the expired cert that Outlook anywhere is using. It found the cert that OWA uses which is not expired.

How long ago did you change the certificate? Has the server been rebooted since then? And I assume this is for all external users? They haven't saved it on their PC? Can you test with a PC which hasn't been used before (A test PC)? Have you checked the OLK Profile config to check the certificate prinical name? And the Outlook proivder Cert principal name? http://technet.microsoft.com/en-us/library/bb123683.aspx Sukh

The new certificate was put in place April 2012. The server has been rebooted since. Yes, this is only for external users. I have tried to save it on their PC with no luck. I will try a test PC and check the OLK profile. It still will connect to their mailbox via Outlook Anywhere after the user clicks through the certificate warning. It's more of an annoyance and somewhat baffling.

Can you post the results of Get-ExchangeCertificate?Sukh

[PS] C:\Windows\system32>Get-ExchangeCertificate | FL AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule} CertificateDomains : {HOU-EXC-CAS.vbar.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=Veber Enterprise Certificate Authority, DC=vber, DC=com NotAfter : 2/2/2013 7:48:11 PM NotBefore : 2/3/2012 7:48:11 PM PublicKeySize : 1024 RootCAType : Enterprise SerialNumber : 257C50A90001000021AC Services : IMAP, POP Status : Valid Subject : CN=HOU-EXC-CAS.vbar.com Thumbprint : 80E50C85B9BAD3B24E831CFDFC1D12F9F013967C AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule} CertificateDomains : {*.vber.com, vber.com} HasPrivateKey : True IsSelfSigned : False Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy. com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US NotAfter : 4/9/2014 4:20:43 PM NotBefore : 4/11/2011 9:27:55 AM PublicKeySize : 2048 RootCAType : ThirdParty SerialNumber : 4B440CD73845C7 Services : IIS Status : Valid Subject : CN=*.vber.com, OU=IT, O=Veber Inc., L=Houston, S=TX, C=US Thumbprint : 979141860672EB5AA209340148B7047256C9B106 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc essRule} CertificateDomains : {HOU-EXC-CAS, HOU-EXC-CAS.vbar.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=HOU-EXC-CAS NotAfter : 1/11/2015 11:17:11 AM NotBefore : 1/11/2010 11:17:11 AM PublicKeySize : 2048 RootCAType : None SerialNumber : 6A7DF00C09A14C9946FEE98EA8F63202 Services : IMAP, POP, SMTP Status : Valid Subject : CN=HOU-EXC-CAS Thumbprint : 3349BDCA749BB99E5C78A4B47108ACEEDD255D62 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc essRule} CertificateDomains : {HOU-EXC-CAS, HOU-EXC-CAS.vbar.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=HOU-EXC-CAS NotAfter : 1/7/2015 9:26:57 PM NotBefore : 1/7/2010 9:26:57 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 53D9ECD33145388F41C7FF664F249799 Services : IMAP, POP, SMTP Status : Valid Subject : CN=HOU-EXC-CAS Thumbprint : ED1022D7CD0F02F89DB0BEE35F3004F28CF67C07 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {WMSvc-HOU-EXC-CAS} HasPrivateKey : True IsSelfSigned : True Issuer : CN=WMSvc-HOU-EXC-CAS NotAfter : 1/5/2020 5:51:24 PM NotBefore : 1/7/2010 5:51:24 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 112DCB5D5957DC8F43A9F411FF9FD5B8 Services : None Status : Valid Subject : CN=WMSvc-HOU-EXC-CAS Thumbprint : 4D706FA04563AE8FD76E04E97C0D0ED94FDBC8B0

And what's the external name? Is it covered by that wild card you're using?Sukh

Yes, it's covered by the wildcard cert.

Are you sure the certificate isn't coming from something else? Firewall, web browser somewhere else etc? If you only have one web site on the server then only one SSL certificate can be bound to the web site. If the correct certificate is shown internally then the problem has to be elsewhere. Simon. Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Hi, Please try to View Certificates with the MMC Snap-in from your CAS server and Domain Controller. you can refer to the steps in article below: How to: View Certificates with the MMC Snap-in http://msdn.microsoft.com/en-us/library/ms788967.aspx By the way, how many CAS server in the network? How did you publish outlook anywhere?Xiu Zhang TechNet Community Support