Go Premium for a chance to win a PS4. Enter to Win

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 231
  • Last Modified:

Importing new Exchange 2010 SSL Certificate


I'm drawing a total blank on this one.  We have a wildcard cert installed to our Exchange Enterprise 2010 server.  Its expiring soon.  We've purchased a new one from our vendor, and I'm in the process of importing it, to bind it to SMTP and IIS.  And Every time I do this, I completely hit a wall when it comes to importing and assigning.

I have the cert imported successfully.  Exchange sees it through the EMC as "Self Signed = False"  which is good.  I needing to assign the SMTP and IIS services to the cert.  Upon clicking Assign, I get a popup that asks me "Do you want to enforce ssl communication to the root website?  Yes/YesToAll/No/Cancel.

I panicked, and I clicked no, and no to the other message asking me to replace the SMTP....something...

Needless to say, It assigned the cert to SMTP, but not to IIS.  I cant remember what i need to do here, if I should be saying Yes to both, and then going into IIS and simply removing SSL from the default site?  Or.....  How do I proceed?

5 Solutions
Peter HutchisonSenior Network Systems SpecialistCommented:
You can re-run the command to re-assign the certifcate to the various protocols ie SMTP, IIS, POP and IMAP.
If you need to you can load IIS management console, and on the default web site, you can click on Bind to check if the Certificate is applied to the website and then tick/untick 'Require SSL' for the root and virtual directories manually.
Simply get the thumbprint for the certificate and run the Enable-Exchangecertificate command to assign the certificate to the required services.


Enable-ExchangeCertificate  -Services 'IMAP, POP, IIS, SMTP' -Thumbprint '<certificate thumbprint>'

More details :

cocosysengAuthor Commented:
I saw that link, but the popups just threw me off.  I can see in IIS its seeing the cert, so that's no issue there.  my worry is what its going to do to EMC, Outlook, and active-sync...  

So, do I just log into IIS, and change the binding manually, or do I need to do it through EMC?
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

you can bind for IIS ONLY if you want to:

Enable-ExchangeCertificate  -Services 'IIS' -Thumbprint '<certificate thumbprint>'
cocosysengAuthor Commented:
OK, I'll give that a shot and post back later and let you know how it goes.  Our old cert that's expiring in a couple weeks is bound to IIS and SMTP only.   Just wanting to make sure I do this right so I don't interrupt mail flow.

Thanks!  Back shortly...
also be sure to run iisreset to make sure the binding for IIS takes, you can change the cert manually in IIS as well if you need to either one works.
cocosysengAuthor Commented:
Thanks everyone!!  I was able to get the road block cleared and the cert installed and assigned.  the link from MAS helped a bunch too!  Thanks guys!!!

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now