I have replaced the digicert SSL certificate on each of our Exchange and CAS servers with a SHA2 certificate, however, OWA is still reporting it uses a SHA1 certificate.

Looking in the ECP console under Servers > Certificates, I see each server has the digicert certificate plus 3 self signed certs, all of the self signed are SHA1 (see image)

How do I replace these with SHA2 and which of them is the one used by OWA?

Hello

double click on cert and select iis and what you want and make same on each cas server

Already done that, see below

but this is what OWA shows

We have disabled POP and IMAP so these services are not selected

• Edited by GADavies 14 hours 39 minutes ago additional information

Hello

check iis binding from iis manger and check from powershell:

on cas server: Get-ExchangeCertificate |fl|
if have firewall with publishing rule check cert
because from public internet see that thumbprint:

74 24 d7 08 c1 bc b3 e1 a0 a3 c8 4c 5a 92 37 b6 b5 5b c9 7a

After you assigned the certs to the IIS Service did you perform an IISreset?  If not, give that a shot.

IIS bindings are set to the new certificate and it was reset.

Looks like our load balancer is actually presenting the thumbprint, that has a SHA1 cert with the serial number shown by OWA. Network guys need to update that.

Thanks for the replies