• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2473
  • Last Modified:

Change the certificate used by Exchange 2010 in SBS2011

Hoping someone here can help me. This is probably a straight forward issue but can not work it out.

Windows SBS2011 server I have a wildcard certificate. *.domain.com. I had previously installed this certificate and all was working fine.

However when my first certificate expired and I renewed it I have encountered an issue. I have successfully got the new certificate working with OWA but not with the native Exchange/Outlook connection. I keep getting an error when using Outlook and when view the details of the certificate I can see that exchange is using the old certificate which has now expired.

I did go to the list of certificates visible at EMC ->Server Configuration. I can not find the certificate that is expired in this list. I did find the new wildcard certificate and which currently has IIS and SMTP services assisnged in this list. I tried to assign services IMAP and POP but got the following errors.

This certificate with thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX and subject '*.domain.com' cannot be used for POP SSL/TLS connections because the subject is not the Fully Qualified Domain Name (FQDN). Use the command Set-POPSettings to set X509CertificateName to the FQDN of the service.

This certificate with thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX and subject '*.domain.com' cannot be used for IMAP SSL/TLS connections because the subject is not the Fully Qualified Domain Name (FQDN). Use the command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

The connectors are set to use the FQDN 'remote.domain.com'

Thanks for your assistance
Raoul Edmonds
Raoul Edmonds
  • 3
  • 2
1 Solution
Simon Butler (Sembee)ConsultantCommented:
As you are using SBS, you should have used the wizard in SBS management console to install the certificate. Therefore I would suggest you start there - go through the SSL wizard and choose your new certificate. That should replace everything within Exchange etc.

To get rid of the error about the SMTP/TLS, in EMS, run new-exchangecertificate (on its own). You will get a number of prompts which you should accept. You can then remove the old certificate.

Raoul EdmondsAuthor Commented:
Thank you for the response.

I believe I did use the SBS wizard initially. However I did redo using your instructions above.

The problem still remains. Outlook is generating the same Certificate warnings and showing the same expired certificate.

I am not sure if it is related but all of my outlook clients always require user crediential to be entered for the exchange accounts. Despite being Domain Authenticated clients. If not related this will be my next question. ;-).
Simon Butler (Sembee)ConsultantCommented:
You shouldn't need authentication to connect to Outlook.
Have you removed the expired certificate? If not then you need to.

You didn't use the certificate elsewhere, for example on your public web site?

Run an Autodiscover test, see what that shows.


Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Raoul EdmondsAuthor Commented:
I ran the new-exchangecertificate tool again.

The output was:
[PS] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Exchange Server 2010>New-ExchangeCertificate
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'sbs2011.domain.local'
because the CA-signed certificate with thumbprint 'AE605811AF7C3EC83646XXXXXXXXXXXXXXXXXXXXX' takes precedence. The
following receive/send connectors match that FQDN: Default SBS2011.

Overwrite the existing default SMTP certificate?

Current certificate: '5F8B74BB2426EF259312BXXXXXXXXXXXXXXXXXX' (expires 14/10/2018 11:16:25 PM)
Replace it with certificate: '7CE33E414F2375CDDCCE27XXXXXXXXXXXXXXXXX' (expires 15/10/2018 8:32:26 PM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

In case it wasn't clear I am trying to get a 3rd party wildcard certificate to work. It is working for OWA.

I did use the https://testconnectivity.microsoft.com/ tool. The results were:
      Certificate trust is being validated.
       Certificate trust validation failed.
      Test Steps
      The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.domain.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
       A certificate chain couldn't be constructed for the certificate.
      Additional Details
The certificate chain has errors. Chain status = NotTimeValid.
Elapsed Time: 19 ms.

Sorry I wasn't sure which output from the Outlook test tool to post.
Cris HannaCommented:
Go to Network section of SBS console.  In the right window pane, find the "Fix My Network" wizard

Allow it to repair everything it finds

FYI, SBS doesn't require nor does the wizard do well with wild card certs
Raoul EdmondsAuthor Commented:
Thank you chris. Sorry I did submit a reply not sure why it went through.

I learnt the hardway that SBS doesn't like wildcard certs however one I got it installed it was ok.. until the renewal.

After running the Fix My Network wizard it deteced an issue with the Cert and a couple of other things. I fixed the cert issue and then reran the 'install trusted cert' wizard.

All seemed to work OK. Outlook stopped generating certificate warnings.

However when I run the Outlook Test Email Autoconfiguration tool it generates an expired certificate warning.

Also interestingly I am no longer getting the authentication login from Outlook. I did play with chaning the authentication method to NTLM but this seems to either severly slow or stop outbound connections. I restored the Outlook settings to Negotiate Authentication and am not gettig the Authentication Errors.

Everything appears to be working. Just unsure why the Outlook tool is still getting the expired certificate.


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now