Importing new Exchange 2010 SSL Certificate


I'm drawing a total blank on this one.  We have a wildcard cert installed to our Exchange Enterprise 2010 server.  Its expiring soon.  We've purchased a new one from our vendor, and I'm in the process of importing it, to bind it to SMTP and IIS.  And Every time I do this, I completely hit a wall when it comes to importing and assigning.

I have the cert imported successfully.  Exchange sees it through the EMC as "Self Signed = False"  which is good.  I needing to assign the SMTP and IIS services to the cert.  Upon clicking Assign, I get a popup that asks me "Do you want to enforce ssl communication to the root website?  Yes/YesToAll/No/Cancel.

I panicked, and I clicked no, and no to the other message asking me to replace the SMTP....something...

Needless to say, It assigned the cert to SMTP, but not to IIS.  I cant remember what i need to do here, if I should be saying Yes to both, and then going into IIS and simply removing SSL from the default site?  Or.....  How do I proceed?

Who is Participating?
Peter HutchisonSenior Network Systems SpecialistCommented:
You can re-run the command to re-assign the certifcate to the various protocols ie SMTP, IIS, POP and IMAP.
If you need to you can load IIS management console, and on the default web site, you can click on Bind to check if the Certificate is applied to the website and then tick/untick 'Require SSL' for the root and virtual directories manually.
Simply get the thumbprint for the certificate and run the Enable-Exchangecertificate command to assign the certificate to the required services.


Enable-ExchangeCertificate  -Services 'IMAP, POP, IIS, SMTP' -Thumbprint '<certificate thumbprint>'

More details :
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

cocosysengAuthor Commented:
I saw that link, but the popups just threw me off.  I can see in IIS its seeing the cert, so that's no issue there.  my worry is what its going to do to EMC, Outlook, and active-sync...  

So, do I just log into IIS, and change the binding manually, or do I need to do it through EMC?
you can bind for IIS ONLY if you want to:

Enable-ExchangeCertificate  -Services 'IIS' -Thumbprint '<certificate thumbprint>'
cocosysengAuthor Commented:
OK, I'll give that a shot and post back later and let you know how it goes.  Our old cert that's expiring in a couple weeks is bound to IIS and SMTP only.   Just wanting to make sure I do this right so I don't interrupt mail flow.

Thanks!  Back shortly...
also be sure to run iisreset to make sure the binding for IIS takes, you can change the cert manually in IIS as well if you need to either one works.
cocosysengAuthor Commented:
Thanks everyone!!  I was able to get the road block cleared and the cert installed and assigned.  the link from MAS helped a bunch too!  Thanks guys!!!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.