Need to modify current Exchange 2007 setup from using two SSL certs (one for Autodiscover), to one UCC cert.

Posted on 2008-11-06
Medium Priority
Last Modified: 2012-05-05
Our environment currently has two CAS servers (CAS1 and CAS2), and two mailbox servers (all using Server 2008).  The mailbox servers are clustered (CCR), and only one of the two CAS servers are being utilized right now, but will soon be load-balanced (and will be called CAS).  On the current CAS server (CAS2), we have two virtual directories in IIS, one for Autodiscover, and one for OWA (the Default Website), with one SSL cert tied to each (autodiscover.domain.com, and mail.domain.com).  Everything works fine, but some people using laptops that are not on our domain and are offsite, have difficulties.  I am about to purchase a UCC cert, and wish to combine both of the virtual directories, having just the one cert tied to it.

The UCC cert (common name:  mail.domain.com) will include the following SANs:  

We need the .net and .com, as some people in our company use both.  Anyways, what is the easiest way to change from one way of doing things to the other?  And what all has to be done?  Thanks for the help! :)
Question by:redmanjb
  • 4
  • 3

Expert Comment

ID: 22916867
Ok, first, make sure the whois e-mail info is correct for both domains.

Use this page to generate the request command:
paste the request into the Exchange Management Shell; use the resulting data to purchase the certificate.
Download the UCC cert

Run this from the Exchange shell to get the thumbprints of your old certs:
Get-ExchangeCertificate | FL *

Remove all the old certs:
Remove-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxx

run MMC and use the Certificates snap-in to install the new certificate
Run this from the Exchange shell to get the thumbprint of your new cert:
Get-ExchangeCertificate | FL *

Run this shell command to set Exchange to use the new UCC certificate:
Enable-ExchangeCertificate -Services "IIS, IMAP, POP, SMTP"  -Thumbprint xxxxxxxxxxxxxxx

Author Comment

ID: 22917667
Thank you for the reply.  I've already purchased and created the cert, but my question is about the virtual directories in IIS.  Right now there is one called Autodiscover and another called Default Website (for OWA)...

Expert Comment

ID: 22921190
Are users getting a certificate error? You should remove the old certificates to ensure they they don't get the wrong one. What is your question about the virtual directories?
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.


Author Comment

ID: 22925555
This question is only about the virtual directories.  Things are working ok now, but, the configuration needs to change from a 2 SSL Cert setup, to a one UCC SSL Cert setup.

Right now, in IIS on the Client Access Server, we have the following virtual directories:
Autodiscover (for autodiscover.domain.com)
Default Website (for smtp.domain.com)

There is one cert tied to each virtual directory.  And each virtual directory has an IP address bound to it.

The problem with our current setup is that we are forced to use two different IP addresses for IIS, one for each virtual directory.  This is preventing us from setting up load-balancing for the Client Access Server, as we'd only be able to load-balance one of the IP addresses (the one for OWA, and not autodiscover).  Therefore, we need to set up Exchange and IIS to use one virtual directory which is protected by a UCC cert.  This is the ideal way to set up Exchange 2007, and is the ideal way for us because we'd be able to load balance both OWA and Autodiscover.

Expert Comment

ID: 22926805
Ok, I'm still not clear on where you're stuck. Have you tried to remove the old certificates and use the new one? The ip is bound to the website, not the virtual directory. Do you have one of the virtual directories in a different website? Why are you forced to use two ip addresses?

You should be able to use the same certificate for both virtual directories. The ip address isn't in your UCC certificate, so it shouldn't matter what ip you use. As long as DNS resolves correctly and the URL matches your cert, it should work.

Author Comment

ID: 23267039
I had stepped away from this issue for quite awhile, but ended up resolving it.  I had to delete the virtual directories in IIS, and run a command in EMS to basically uninstall autodiscover and reinstall it, which put the virtual directory in the correct place and configured everything...which is what I was trying to get assistance with, stating again and again that the question was about the virtual directories, not IP addresses or certs.  The cert had already been created with the appropriate SANs, and IP addressing wasn't an issue at all.

I do appreciate your input though LaserSpot...thank you.

Accepted Solution

redmanjb earned 0 total points
ID: 23269536
Moderators, please close this question, as it has been resolved.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month15 days, 21 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question