Hello, i added a 3rd party certificate to my exchange 2010 SP1 cas but accidentally checked the IIS and the smtp service. since its a certificate with an external domain name on it (so for use with iis), all internal outlook clients get the warning that the certificate is not valid and have to approve it manually. i managed to get the smtp service off of the 3rd party certificate, but all clients still get the same warning. how can i use the default microsoft exchange certificate with internal domain references as my smtp certificate?

To set the service smtp for self-generated certificate use the following command: Enable-ExchangeCertificate -Thumbprint <certificatethumbprint> Services SMTP If you want to remove the 3rd party certificate from SMTP use the following command: Enable-ExchangeCertificate -Thumbprint <certificatethumbprint> Services none This removes the certificate from all services, so you will then have to enable it for the services you want to certificate to be enabled on.Martin Sundstrm | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com

I've done that, and now i have 2 certificates, the self-signed, default installed "Microsoft Exchange" certificate with POP, IMAP en SMTP services and the 3rd party certificate for remote connections via owa or activesync with only IIS services but everytime a user logs on into outlook (local), he gets an error of the certificate with the external domain on (so the 3rd party certificate) where the end-user has to click yes twice to go trough. is there a way to force outlook to use the default exchange certificate, instead of the 3rd party certificate?

Short answer is no. Outlook is making an IIS connection to the server, for autodiscover and availability information. Nothing to do with SMTP - Outlook doesn't use SMTP to communicate with Exchange. What kind of certificate did you purchase? A UC (aka SAN - subject alternative name) or a single name certificate? If the latter, it should have been the former. If the former, you should have included the local server names, which would have been prompted for in the wizard as one of the names to include. It is possible to make changes to Exchange so that the external name is used internally, but if you are deploying the unified communications role then that isn't going to work for you. UC requires the certificate has the server's real name in it. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

i purchased a single name certificate at Go Daddy. I always use single domain certificates. the default exchange certificate is referring to Apollo (which is the name of the mailserver), but Outlook searches for the certificate with the external domain name. why isn't outlook looking for the Apollo certificate (default exchange?) this behaviour started after i checked the smtp service on the 3rd party certificate...

You shouldn't be using single name certificates with Exchange 2010. You can only use single name certificates in a very controlled circumstances and requires additional overheads. If you had used UC certificates then this wouldn't have been a problem. Enabling SMTP on the third party certificate would not have been the cause of this issue, other than forcing the server to run the full enable-exchangecertificate command, which would have changed the certificate used for IIS. While that was the only change that you made, it wasn't directly related. Bottom line is that you cannot mix SSL certificates for internal and external use without putting the server in to an unsupported situation. Change to a UC certificate (GoDaddy are the cheapest supplier) with the relevant names in them and you will find things work as they should. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Hi, You have to use SAN based certificate for Exchange 2010. Then you will have configure your Exchange virtual directories. Below is the link to article for configuring Exchange Virtual directories. http://support.microsoft.com/kb/940726 Thanks.Nagaraj N

Hi KlausBE, Any updates on your issue? Frank Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

i'm investigating the possibilties. changing the exchange virtual directories is not something i'm pleased to do :-) the weird thing is when i delete the 3rd party certificate, so that i only have the self signed exchange default cert, i still get the certificate warning in outlook which refers to my external domain name. i'm going to request a new multiple name certificate at go daddy today and see if that solves this issue

You need to look at your DNS then, ensure that the host names are resolving to the correct place. Remember that Outlook will attempt to connect to autodiscover.example.com (where example.com is the domain after the @ sign in the email address). When you get the certificate prompt you should be able to view the certificate - that may give you a clue where the client is connecting to. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Hi KlausBE, How about your question? Any updates?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi KlausBE, Any updates?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.