SBS 2008 Exchange 2007 SSL Self-Signed Certificate Renewal

rcblevins used Ask the Experts™
Our self signed ssl certificate that Exchange 2007 is using is going to run out in a few days.  We are using sbs 2008 behind an ISA 2006 server and everyting is working fine.  I had read that I just need to run the Set Up Your Internet Address in the SBS console and that would renew the certificate.  Anyway everytime I run the wizard it ends saying that the wizard cannot configure Exchange e-mail for my domain, although email is working fine at the moment.  Does anyone have any ideas as to what the problem may be?  Thanks for any help.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Rick SchererSystems Engineer / Manager

Does your external domain name match your internal one?  Are you to the world while your domain name is yourcompany    You may need a certificate listing multiple names.


Yes, both are the same.  Thanks.
i would advice creating a new one

here's the command to create a new certificate

Open ur exchange management Shell and type the below command to renerate a self signed certificate

New-ExchangeCertificate -SubjectName "c=ES, o=ur company de Bicicleta, cn=mail." -DomainName, mail.,, -PrivateKeyExportable $true
[Note: Please change the above url to the urls used by ur users before running]

if ur not sure give me the urls i will give u the commad to get the certificate

once you create the certificate you can enable the certificate for IIS
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


Thanks.  Sorry I am just now responding.  After getting back into the certificate list, it appears that the setup insternet address had renewed the certificates in exchange, but there are 2 certificates that are enabled for IIS (one expires 5/13/13 and the other 5/16/13).  Things seem to be working fine, but will this cause an issue?  Also, do I need to take the old certificates out?  Thanks for your help.
only one certificate at a time can be enabled for IIS , we cant have 2

run get-exchangecertificate in the shell

in the output the certificate that has "W" service enabled for it is the one enabled for IIS

the "I" underservices indicate IMAP not IIS
you wont have any issue with the old certificate, you can remove it if u want


Thanks.  When I ran the command get-exchangecertificate, 2 certificates have IP.WS under services....  What do I need to do to disable one?
if ur sure that 2 certificates has IP.WS

then go ahead and delete the certificate that has expired.

if both are not expired delete the one that is self -signed and keep the one that is third party

if both are third party or self signed , delete  the one that is going to expire first

use my blog entry below to go to mmc and delete it from there

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial