Exchange 2010 /SBS2011 Certificate

Hello,

I recently renewed SBS2011 self signed certificate with sbs console "fix my network". Everthing was ok until i replaced certificate with a trusted (entrust) certificate. I made the CSR for entrust from IIS and then imported it to Exchange and assigned all services to it.

Outside lan I can connect to iis remote.contoso.com and there is the trusted certificate. Inside lan outlook cannot connect, because it finds only old self signed certificate that was used before i renewed it. Same thing when from lan i connect to remote.contoso.com/owa there is also the old certificate.

I have tried with sbs console to change the certificate, but it always changes it for wan side of IIS. From exchange2010 console i have taken away this old certificate and still webmail and outlook from lan find old certificate. Autodiscover has srv record and pointing to remote.contoso.com

Any good ideas?
TomiPLAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wshtyCommented:
open mmc on exchange - add the certificate snap-in for the local pc; search for the old/obsolete certificate -> delete it
0
TomiPLAuthor Commented:
I deleted the old certificate in exchange console. Can't find it in certificate snap in either.

But still inside lan outlook and https://remote.contoso.com/owa finds old certificate.

With lan ip address https://192.168.10.10/owa IE finds right certificate. Could this be DNS related?
0
Simon Butler (Sembee)ConsultantCommented:
Your mistake was to enable the certificate through Exchange.
As this is SBS, you should have enabled the certificate throught the SBS management console.

You also shouldn't have done the request through IIS, instead use Exchange Management Console.

So the complete process is
New certificate request in EMC.
Complete certificate request in EMC.
Run the add a trusted certificate wizard and choose the trusted certificate.

There is no WAN/LAN side in IIS. It is all the same thing. Internally SBS will want to use remote.example.com if you have setup the server correctly.

If the trusted certificate is still listed, then complete the wizard as outlined.

Simon.
0
TomiPLAuthor Commented:
Hello

Problem was with dns/ipv6 that is (still is, but disabled)misconfigured. Clients were trying to connect to server with ipv6 name resolution but the ipv6 address didnt have any record on the servers dns name. I m not familiar with dns or ipv6 so still dont have an idea how clients connected to server iis and found the deleted certificate.

//tomi
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TomiPLAuthor Commented:
i found the solution to problem my self
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.