http://www.msexchange.org ------------------------------------------------------- I really must blog this... Certificates in SBS 2008 are a real pain. Whatever you do, you don't use IIS for the certificate generation. You have two options. 1. You use the wizard. 2. You use the Exchange management shell. The wizard makes a major presumption - that you are using SRV records for Autodiscover. It creates a request for a single name SSL certificate - remote.example.com if you have followed the recommendations and expects you to make the SRV record changes that are required. However most domain name service providers do not support SRV records. Of course those in the list within SBS for DNS services do. The comments in this article from Sean Daniel clearly show the presumption of SRV records use, which is a poor show from Microsoft in my opinion: http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html Therefore you must use the Exchange Management Shell. On the plus side, this will not affect your live certificate, because it doesn't go live until the certificate is enabled. On the downside, using EMS to install the certificate breaks the web services of SBS. Therefore the thing to do is use EMS as normal, generating the request. Once you have the response, do not install it until you are ready for the downtime. Install the certificate as normal. The web services in SBS (RWW etc) will then break. Then use the Fix My Network wizard in SBS to correct everything. That should reset the web server bindings. The SBS best practises analyser (free download from Microsoft - link on my Exchange resources site at http://exbpa.com ) will also flag the broken bindings if the Fix My Network wizard doesn't resolve it. Instructions for doing the certificate request, installation etc are on my blog here: http://blog.sembee.co.uk/archive/2008/05/30/78.aspx I should be doing an SBS 2008 certificate installation within the next couple of days and I will document and blog the exact steps as this isn't the first time this question has come up. Simon. -- Simon Butler MVP: Exchange, MCSE Sembee Ltd. e: simon@xxxxxxxxxxxx w: http://www.sembee.co.uk/ w: http://www.amset.info/ w: http://blog.sembee.co.uk/ Need cheap certificates for Exchange, compatible with Windows Mobile 5.0? http://CertificatesForExchange.com/ for certificates from just $23.99. Need a domain for your certificate? http://DomainsForExchange.net/ Exchange Resources: http://exbpa.com/ -----Original Message----- From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Harondel J. Sibble Sent: 11 February 2010 19:02 To: exchangelist@xxxxxxxxxxxxx Subject: [ExchangeList] Re: sbs 2008 ssl cert replacement - how to do http://www.msexchange.org -------------------------------------------------------Hmm, is that something new in IIS7? Under 6 it won't let you generate a new csr until you remove the existing cert... Or is this a function of having to use the Exchange 2007 console to install the cert? Which is the correct way to install a new cert on Ex2k7/IIS7? As I noted. I've seen it suggested both ways as "THE" way to do it. On 11 Feb 2010 at 13:54, Michael B. Smith wrote: > http://www.msexchange.org > -------------------------------------------------------You don't need > to remove the old cert before you generate the CSR for the new cert. > They'll have different thumbprints even if they are otherwise > identical, and the thumbprint is what Exchange (and the Windows > certificate > module) cares about. -- Harondel J. Sibble Sibble Computer Consulting Creating Solutions for the small and medium business computer user. help@xxxxxxxxx (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice) ------------------------------------------------------- List Archives: //www.freelists.org/archives/exchangelist/ MSExchange Newsletter: http://www.msexchange.org/pages/newsletter.asp MSExchange Articles and Tutorials: http://www.msexchange.org/articles_tutorials/ MSExchange Blogs: http://blogs.msexchange.org/ ------------------------------------------------------- Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------- To unsubscribe visit http://www.msexchange.org/pages/exchangelist.asp Report abuse to listadmin@xxxxxxxxxxxxxx ------------------------------------------------------- List Archives: //www.freelists.org/archives/exchangelist/ MSExchange Newsletter: http://www.msexchange.org/pages/newsletter.asp MSExchange Articles and Tutorials: http://www.msexchange.org/articles_tutorials/ MSExchange Blogs: http://blogs.msexchange.org/ ------------------------------------------------------- Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------- To unsubscribe visit http://www.msexchange.org/pages/exchangelist.asp Report abuse to listadmin@xxxxxxxxxxxxxx