Problem with new SSL certificate

I have a small SBS2008 network of 10 users and I use a standard single Godaddy SSL certificate for OWA etc.

Rather than renew the SSL for five years at £200  a pop, I opted for a new 5 year option at £20 and, because of the time delay in verifying the certificate, I started the CSR request before the old one expired.

This meant renaming the common name from to I installed it yesterday in IIS7 and OWA is working fine with the new name.

I thought everyone would need to change the mail server on the their Blackberries and iPhones but (up to now) they are working fine with the old one. However, today the workstations are getting the Outlook 2007 security alert which says the name on the certificate is wrong or invalid. You can view the certificate (the new one), but it's looking for the old one.

I saw something online about adding my IP address and cert name to Hosts, but this didn't work.

Thanks for any ideas.

Who is Participating?

Improve company productivity with a Business Account.Sign Up

Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
The error you have posted will be corrected by the wizard once it completes successfully, as the wizards will generate a new self signed certificate for you. Then you can replace it with your trusted SSL certificate. You can have multiple MX records pointing at the same IP address if you like.

The wizard generates a log file - this is a list of where they are:

It should give you an indication of where it is failing. Usually it is a sign that something was configured outside of SBS and it needs to be put back to what SBS is expecting for the wizard to complete.


Follow the below article and change the Exchange URL's with FQDN which is specified on new certificate.Wait for some to replicate the changes.
carolinemsAuthor Commented:
Thanks Morasiva.

I assume Pete means go to the Shell not the Console.

The Exchange-Mail in red that needs to be changed for my text - is that the exchange server name (local name as he says)?
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

carolinemsAuthor Commented:
I edited and pasted the following into the Exchange Shell on my SBS2008 server:

Set-ClientAccessServer -Identity MYSERVER - AutodiscoverServiceInternalUrl 

Set-WebServicesVirtualDirectory -Identity "MYSERVER\EWS (SBS Web  Applications)" -InternalUrl

Set-OABVirtualDirectory -Identity "MYSERVER\oab (SBS Web  Applications)" -InternalUrl

Set-UMVirtualDirectory -Identity "MYSERVER\unifiedmessaging (SBS  Web Applications)" -InternalUrl

It threw back the following errors:

[PS] C:\Windows\System32>Set-ClientAccessServer -Identity  MYSERVER -
Set-ClientAccessServer : A parameter cannot be found that matches  parameter nam
e '-'.
At line:1 char:23
+ Set-ClientAccessServer  <<<< -Identity MYSERVER -
[PS] C:\Windows\System32>
[PS] C:\Windows\System32>AutodiscoverServiceInternalUri
The term 'AutodiscoverServiceInternalUri' is not recognized as a  cmdlet, functi
on, operable program, or script file. Verify the term and try again.
At line:1 char:31
+ AutodiscoverServiceInternalUri  <<<<
[PS] C:\Windows\System32>
[PS]  C:\Windows\System32> iscove
The term  '' is not
recognized as a cmdlet, function, operable program, or script file.  Verify the
term and try again.
At line:1 char:60
+ <<<<
[PS] C:\Windows\System32>
[PS] C:\Windows\System32>Set-WebServicesVirtualDirectory -Identity  "MYSERVER
>> Applications)" -InternalUrl
Set-WebServicesVirtualDirectory : Missing an argument for parameter  'InternalUr
l'. Specify a parameter of type 'System.Uri' and try again.
At line:2 char:28
+ Applications)" -InternalUrl  <<<<
[PS]  C:\Windows\System32>
The term '' is not  recognized a
s a cmdlet, function, operable program, or script file. Verify the  term and try
At line:1 char:48
+ <<<<
[PS] C:\Windows\System32>
[PS] C:\Windows\System32>Set-OABVirtualDirectory -Identity  "MYSERVER\oab (SB
S Web
>> Applications)" -InternalUrl
Set-OabVirtualDirectory : The operation could not be performed  because object '
Applications)' could not be found on domain controller  'MYSERVER.mydomain.local'.
At line:1 char:24
+ Set-OABVirtualDirectory  <<<< -Identity "MYSERVER\oab (SBS Web
[PS] C:\Windows\System32>Set-UMVirtualDirectory -Identity  "MYSERVER\unifiedm
essaging (SBS
>> Web Applications)" -InternalUrl
Set-UMVirtualDirectory : Missing an argument for parameter  'InternalUrl'. Speci
fy a parameter of type 'System.Uri' and try again.
At line:2 char:32
+ Web Applications)" -InternalUrl  <<<<
[PS]  C:\Windows\System32> ervice
Simon Butler (Sembee)ConsultantCommented:
This is SBS - so you shouldn't be changing things in Exchange directly.

Run the Internet Name wizard in SBS again, do a custom name. You can then change it from to Once the wizard has completed, run the SSL wizard, choosing an existing certificate. That will correct everything for you.

Although personally if you were switching to a single name certificate I would have stayed with and changed all the DNS to match.

carolinemsAuthor Commented:
Simon, I tried that for ages yesterday before submitting the post.

Please let me know if I am doing this incorrectly, but if I go into SBS Console > Connectivity> Set up an Internet Address, it tells me to run the Internet Connection Wizard first.

When I run this and enter the IPs for the Router and Server, it tells me Windows SBS has encountered an unknown error. This stops the DHCP server service. I have checked to ensure IP v6 is enabled on the NIC. I haved also disabled Hamachi and Symantec on the server.


Simon Butler (Sembee)ConsultantCommented:
You have other problems with the server then.
I would remove the Hamachi service and reboot.
Symantec AV brings me loads of business because of the problems it causes, so I would remove that as well (I wouldn't put it back either, but that is just me).
You must reboot before trying again.

carolinemsAuthor Commented:
Thanks, I'll have to wait until everyone's finished before I can reboot the server, My gut feeling is this will not resolve the wizard problem, but would be delighted to be proved wrong.

One other point I should mention.

The certificate is bound to the SBS Web Application sites in IIS on port 443. I've checked the certificates list and there are about 12 expired, 2 Godaddy and 12 server generated ones. There are 4 current ones, the current Godaddy and 3 server ones.

However, my mxrecord is linked to myExternalIP.

Besides the annoying pop the exchange, mail in and out is working fine on the PCs and mobile phones. I guess then once I have have successfully changed the certificate name in Exchange, I should request the MXRecord be changed to Or would it be better to add it as a second record - can 2 MXrecord have the same IP?

At first, I looked at the certificate as a way to connect to the website (OWA), but with the changes to exchange I am looking at having to do, exchange will now be looking for an MXRecord ( that doesn't currently exist.

carolinemsAuthor Commented:
I just tried running the connect to internet wizard twice, once after removing Hamachi and then rebooting and repeated after taking off Symantec. Unfortunately it's still coming up with the same error.

The follow event error appeared after the last failure:

Log Name:      Application
Source:        MSExchangeTransport
Date:          17/05/2013 18:27:00
Event ID:      12016
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      myserver.mydomain.local
There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.
Event Xml:
<Event xmlns="">
    <Provider Name="MSExchangeTransport" />
    <EventID Qualifiers="49156">12016</EventID>
    <TimeCreated SystemTime="2013-05-17T17:27:00.000Z" />
    <Security />
carolinemsAuthor Commented:
Thanks Simon, nearly sorted.

I failed to noticed Hamachi running in the background, and stopping me and the server from disabling/removing it and causing the wizard to stop.

Error messages have gone but I have not yet added the "mail" mxrecord, but the mail seems unaffected, do mailservers only look for the IP?
Simon Butler (Sembee)ConsultantCommented:
Do you have an MX record in place at all?
If the MX record host name resolves, then mail will continue to work correctly. However if you make the host name on the SSL certificate match your MX record host name then Exchange will do opportunist TLS (SMTP over SSL) if the other side supports it.

carolinemsAuthor Commented:
If I do an mxtoolbox lookup it reports as the mxrecord. This was changed from a BT address when we were using an sbs  pop connect to our own smtp.

Should I add the new "mail" record or leave it as it is?


Simon Butler (Sembee)ConsultantCommented:
That is up to you.
If you have users still using then you might want to change it and then drop the A record completely, so that th ehost name doesn't work any longer. As I wrote above I would have stayed with remote as the host name rather than changing to mail.

From a technical point of view there is nothing to be gained or lost from adding the additional host name to the MX record, other than making things "clean".

carolinemsAuthor Commented:
Thanks Simon.

I going to add the record.

Yesterday, the mobiles began to lose the connection and I've told everyone to change their settings to "mail".

I've one more email problem but I am starting a new thread for that as you have more that adequately answered my question.
carolinemsAuthor Commented:
This was the key to resolving the problem
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.