Need to modify current Exchange 2007 setup from using two SSL certs (one for Autodiscover), to one UCC cert.

Our environment currently has two CAS servers (CAS1 and CAS2), and two mailbox servers (all using Server 2008).  The mailbox servers are clustered (CCR), and only one of the two CAS servers are being utilized right now, but will soon be load-balanced (and will be called CAS).  On the current CAS server (CAS2), we have two virtual directories in IIS, one for Autodiscover, and one for OWA (the Default Website), with one SSL cert tied to each (, and  Everything works fine, but some people using laptops that are not on our domain and are offsite, have difficulties.  I am about to purchase a UCC cert, and wish to combine both of the virtual directories, having just the one cert tied to it.

The UCC cert (common name: will include the following SANs:

We need the .net and .com, as some people in our company use both.  Anyways, what is the easiest way to change from one way of doing things to the other?  And what all has to be done?  Thanks for the help! :)
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ok, first, make sure the whois e-mail info is correct for both domains.

Use this page to generate the request command:
paste the request into the Exchange Management Shell; use the resulting data to purchase the certificate.
Download the UCC cert

Run this from the Exchange shell to get the thumbprints of your old certs:
Get-ExchangeCertificate | FL *

Remove all the old certs:
Remove-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxx

run MMC and use the Certificates snap-in to install the new certificate
Run this from the Exchange shell to get the thumbprint of your new cert:
Get-ExchangeCertificate | FL *

Run this shell command to set Exchange to use the new UCC certificate:
Enable-ExchangeCertificate -Services "IIS, IMAP, POP, SMTP"  -Thumbprint xxxxxxxxxxxxxxx
redmanjbAuthor Commented:
Thank you for the reply.  I've already purchased and created the cert, but my question is about the virtual directories in IIS.  Right now there is one called Autodiscover and another called Default Website (for OWA)...
Are users getting a certificate error? You should remove the old certificates to ensure they they don't get the wrong one. What is your question about the virtual directories?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

redmanjbAuthor Commented:
This question is only about the virtual directories.  Things are working ok now, but, the configuration needs to change from a 2 SSL Cert setup, to a one UCC SSL Cert setup.

Right now, in IIS on the Client Access Server, we have the following virtual directories:
Autodiscover (for
Default Website (for

There is one cert tied to each virtual directory.  And each virtual directory has an IP address bound to it.

The problem with our current setup is that we are forced to use two different IP addresses for IIS, one for each virtual directory.  This is preventing us from setting up load-balancing for the Client Access Server, as we'd only be able to load-balance one of the IP addresses (the one for OWA, and not autodiscover).  Therefore, we need to set up Exchange and IIS to use one virtual directory which is protected by a UCC cert.  This is the ideal way to set up Exchange 2007, and is the ideal way for us because we'd be able to load balance both OWA and Autodiscover.
Ok, I'm still not clear on where you're stuck. Have you tried to remove the old certificates and use the new one? The ip is bound to the website, not the virtual directory. Do you have one of the virtual directories in a different website? Why are you forced to use two ip addresses?

You should be able to use the same certificate for both virtual directories. The ip address isn't in your UCC certificate, so it shouldn't matter what ip you use. As long as DNS resolves correctly and the URL matches your cert, it should work.
redmanjbAuthor Commented:
I had stepped away from this issue for quite awhile, but ended up resolving it.  I had to delete the virtual directories in IIS, and run a command in EMS to basically uninstall autodiscover and reinstall it, which put the virtual directory in the correct place and configured everything...which is what I was trying to get assistance with, stating again and again that the question was about the virtual directories, not IP addresses or certs.  The cert had already been created with the appropriate SANs, and IP addressing wasn't an issue at all.

I do appreciate your input though LaserSpot...thank you.
redmanjbAuthor Commented:
Moderators, please close this question, as it has been resolved.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.