• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 634
  • Last Modified:

Exchange 2010 /SBS2011 Certificate


I recently renewed SBS2011 self signed certificate with sbs console "fix my network". Everthing was ok until i replaced certificate with a trusted (entrust) certificate. I made the CSR for entrust from IIS and then imported it to Exchange and assigned all services to it.

Outside lan I can connect to iis remote.contoso.com and there is the trusted certificate. Inside lan outlook cannot connect, because it finds only old self signed certificate that was used before i renewed it. Same thing when from lan i connect to remote.contoso.com/owa there is also the old certificate.

I have tried with sbs console to change the certificate, but it always changes it for wan side of IIS. From exchange2010 console i have taken away this old certificate and still webmail and outlook from lan find old certificate. Autodiscover has srv record and pointing to remote.contoso.com

Any good ideas?
  • 3
1 Solution
open mmc on exchange - add the certificate snap-in for the local pc; search for the old/obsolete certificate -> delete it
TomiPLAuthor Commented:
I deleted the old certificate in exchange console. Can't find it in certificate snap in either.

But still inside lan outlook and https://remote.contoso.com/owa finds old certificate.

With lan ip address IE finds right certificate. Could this be DNS related?
Simon Butler (Sembee)ConsultantCommented:
Your mistake was to enable the certificate through Exchange.
As this is SBS, you should have enabled the certificate throught the SBS management console.

You also shouldn't have done the request through IIS, instead use Exchange Management Console.

So the complete process is
New certificate request in EMC.
Complete certificate request in EMC.
Run the add a trusted certificate wizard and choose the trusted certificate.

There is no WAN/LAN side in IIS. It is all the same thing. Internally SBS will want to use remote.example.com if you have setup the server correctly.

If the trusted certificate is still listed, then complete the wizard as outlined.

TomiPLAuthor Commented:

Problem was with dns/ipv6 that is (still is, but disabled)misconfigured. Clients were trying to connect to server with ipv6 name resolution but the ipv6 address didnt have any record on the servers dns name. I m not familiar with dns or ipv6 so still dont have an idea how clients connected to server iis and found the deleted certificate.

TomiPLAuthor Commented:
i found the solution to problem my self
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now