Exchange 2010 /SBS2011 Certificate


I recently renewed SBS2011 self signed certificate with sbs console "fix my network". Everthing was ok until i replaced certificate with a trusted (entrust) certificate. I made the CSR for entrust from IIS and then imported it to Exchange and assigned all services to it.

Outside lan I can connect to iis and there is the trusted certificate. Inside lan outlook cannot connect, because it finds only old self signed certificate that was used before i renewed it. Same thing when from lan i connect to there is also the old certificate.

I have tried with sbs console to change the certificate, but it always changes it for wan side of IIS. From exchange2010 console i have taken away this old certificate and still webmail and outlook from lan find old certificate. Autodiscover has srv record and pointing to

Any good ideas?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

open mmc on exchange - add the certificate snap-in for the local pc; search for the old/obsolete certificate -> delete it
TomiPLAuthor Commented:
I deleted the old certificate in exchange console. Can't find it in certificate snap in either.

But still inside lan outlook and finds old certificate.

With lan ip address IE finds right certificate. Could this be DNS related?
Simon Butler (Sembee)ConsultantCommented:
Your mistake was to enable the certificate through Exchange.
As this is SBS, you should have enabled the certificate throught the SBS management console.

You also shouldn't have done the request through IIS, instead use Exchange Management Console.

So the complete process is
New certificate request in EMC.
Complete certificate request in EMC.
Run the add a trusted certificate wizard and choose the trusted certificate.

There is no WAN/LAN side in IIS. It is all the same thing. Internally SBS will want to use if you have setup the server correctly.

If the trusted certificate is still listed, then complete the wizard as outlined.

TomiPLAuthor Commented:

Problem was with dns/ipv6 that is (still is, but disabled)misconfigured. Clients were trying to connect to server with ipv6 name resolution but the ipv6 address didnt have any record on the servers dns name. I m not familiar with dns or ipv6 so still dont have an idea how clients connected to server iis and found the deleted certificate.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TomiPLAuthor Commented:
i found the solution to problem my self
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.