Solution for anyone in the future that needs it. I resolved the issue by removing the self-signed back end certificate that exchange uses, and assigning the public cert to the default receive/send connectors in exchange.
Exchange:
ISS Manager:
-
Select server then Server Certificates
-
Right click the Exchange self-signed certificate and exported it just incase I need to restore it.
-
After export I removed the cert from the server.
-
Expand Sites and select Exchange Back End
-
Under Actions, select Bindings. Edit the https port:444, and assign the public cert under “SSL certificate:”
Exchange Management Shell:
Some commands to gather information.
- Get-ExchangeCertificate
This lists the certificates installed on the server, copy the Thumbprint for your public cert
- Get-ReceiveConnector
This lists all the receive connectors for exchange. Copy all the identities for the ports that you need to re-assign the certificate for. i.e. 25, 465, 587
Some commands to create variables for assigning the cert.
- $cert = Get-ExchangeCertificate -Thumbprint %CertificateThumbprint you copied above%
- $tlscertificatename = “$($cert.Issuer)
$($cert.Subject)” - Set-ReceiveConnector “%ReceiveConnectorName%” -TlsCertificateName $tlscertificatename
Repeat step 3 for each receive connector you need to assign the cert.
You can check that certificate was assigned to the receive connector with command:
Get-ReceiveConnector | FL Identity,RemoteIPRanges,PermissionGroups,Auth*,TlsCertificateName
Finally restart ISS with:
IISRESET /NoForce