Change the certificate used by Exchange 2010 in SBS2011

Hoping someone here can help me. This is probably a straight forward issue but can not work it out.

Windows SBS2011 server I have a wildcard certificate. * I had previously installed this certificate and all was working fine.

However when my first certificate expired and I renewed it I have encountered an issue. I have successfully got the new certificate working with OWA but not with the native Exchange/Outlook connection. I keep getting an error when using Outlook and when view the details of the certificate I can see that exchange is using the old certificate which has now expired.

I did go to the list of certificates visible at EMC ->Server Configuration. I can not find the certificate that is expired in this list. I did find the new wildcard certificate and which currently has IIS and SMTP services assisnged in this list. I tried to assign services IMAP and POP but got the following errors.

This certificate with thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX and subject '*' cannot be used for POP SSL/TLS connections because the subject is not the Fully Qualified Domain Name (FQDN). Use the command Set-POPSettings to set X509CertificateName to the FQDN of the service.

This certificate with thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX and subject '*' cannot be used for IMAP SSL/TLS connections because the subject is not the Fully Qualified Domain Name (FQDN). Use the command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

The connectors are set to use the FQDN ''

Thanks for your assistance
Raoul EdmondsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
As you are using SBS, you should have used the wizard in SBS management console to install the certificate. Therefore I would suggest you start there - go through the SSL wizard and choose your new certificate. That should replace everything within Exchange etc.

To get rid of the error about the SMTP/TLS, in EMS, run new-exchangecertificate (on its own). You will get a number of prompts which you should accept. You can then remove the old certificate.

Raoul EdmondsAuthor Commented:
Thank you for the response.

I believe I did use the SBS wizard initially. However I did redo using your instructions above.

The problem still remains. Outlook is generating the same Certificate warnings and showing the same expired certificate.

I am not sure if it is related but all of my outlook clients always require user crediential to be entered for the exchange accounts. Despite being Domain Authenticated clients. If not related this will be my next question. ;-).
Simon Butler (Sembee)ConsultantCommented:
You shouldn't need authentication to connect to Outlook.
Have you removed the expired certificate? If not then you need to.

You didn't use the certificate elsewhere, for example on your public web site?

Run an Autodiscover test, see what that shows.

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Raoul EdmondsAuthor Commented:
I ran the new-exchangecertificate tool again.

The output was:
[PS] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Exchange Server 2010>New-ExchangeCertificate
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'sbs2011.domain.local'
because the CA-signed certificate with thumbprint 'AE605811AF7C3EC83646XXXXXXXXXXXXXXXXXXXXX' takes precedence. The
following receive/send connectors match that FQDN: Default SBS2011.

Overwrite the existing default SMTP certificate?

Current certificate: '5F8B74BB2426EF259312BXXXXXXXXXXXXXXXXXX' (expires 14/10/2018 11:16:25 PM)
Replace it with certificate: '7CE33E414F2375CDDCCE27XXXXXXXXXXXXXXXXX' (expires 15/10/2018 8:32:26 PM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

In case it wasn't clear I am trying to get a 3rd party wildcard certificate to work. It is working for OWA.

I did use the tool. The results were:
      Certificate trust is being validated.
       Certificate trust validation failed.
      Test Steps
      The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
       A certificate chain couldn't be constructed for the certificate.
      Additional Details
The certificate chain has errors. Chain status = NotTimeValid.
Elapsed Time: 19 ms.

Sorry I wasn't sure which output from the Outlook test tool to post.
Cris HannaSr IT Support EngineerCommented:
Go to Network section of SBS console.  In the right window pane, find the "Fix My Network" wizard

Allow it to repair everything it finds

FYI, SBS doesn't require nor does the wizard do well with wild card certs

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Raoul EdmondsAuthor Commented:
Thank you chris. Sorry I did submit a reply not sure why it went through.

I learnt the hardway that SBS doesn't like wildcard certs however one I got it installed it was ok.. until the renewal.

After running the Fix My Network wizard it deteced an issue with the Cert and a couple of other things. I fixed the cert issue and then reran the 'install trusted cert' wizard.

All seemed to work OK. Outlook stopped generating certificate warnings.

However when I run the Outlook Test Email Autoconfiguration tool it generates an expired certificate warning.

Also interestingly I am no longer getting the authentication login from Outlook. I did play with chaning the authentication method to NTLM but this seems to either severly slow or stop outbound connections. I restored the Outlook settings to Negotiate Authentication and am not gettig the Authentication Errors.

Everything appears to be working. Just unsure why the Outlook tool is still getting the expired certificate.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.