How to Manually Install Certificates in SBS 2008

How to Manually Install Certificates in SBS 2008

  • Comments 7
  • Likes

[Today’s post comes to us courtesy of Mark Stanfill]

The SBS Add a Trusted Certificate wizard may fail to display a certificate that is correctly installed in the certificate store if the subject field of the certificate is missing. This happens because some third-party certificate authorities (CAs) issue certificates with a blank subject. The Subject Alternative Name field is used to designate the fully qualified domain name (FQDN) of the certificate instead. This article documents how to manually install these types of certificates.

The behavior that you will see is that the certificate will be correctly installed in the computer’s personal certificate store, but will not show up in the Add a Trusted Certificate Wizard. In the example screenshots below, the external URL being published is




To use the certificate, you will need to manually assign it to the web site in IIS.  The instructions below assume that the certificate Subject Alternative Name matches the Internet Domain Name on the Network\Connectivity tab of the Windows SBS Console.  If the name does not match, first run the Internet Address Management Wizard (IAMW) by clicking on the Set up your Internet address link in the console.  This will assign a self-signed certificate temporarily, but also makes other important configuration changes.

Use these steps to assign the certificate:

1. Log on to the SBS server as an administrator and launch the Internet Services Manager (IIS Manager) console.

2. Select the SBS SharePoint site and click on Bindings…

3. Select https and click Edit…

4. Select your certificate from the drop-down list under SSL certificate:.  Click View… to verify that the certificate is correct based on the Subject Alternative Name field, issuer, etc.


5. Repeat steps 2-4 for the SBS Web Applications SSL binding on port 443.


6. Obtain the thumbprint of the newly installed certificate by opening an elevated Exchange Management Shell prompt and typing the command Get-ExchangeCertificate.  The newly installed certificate should have no services assigned to it.  Verify the thumbprint value from Exchange Management Shell against the properties of the actual certificate.



7. Copy the certificate thumbprint from step 6 and run the command

Enable-ExchangeCertificate -Thumbprint <THUMBRPINT> -Services "POP, IMAP, IIS, SMTP"

Where <THUMBRPINT> is the actual thumbprint.  When prompted to overwrite the existing services, answer A for all.


8. Verify the Terminal Services Gateway certificate settings.  Launch the TS Gateway Manager from START\All Programs\Administrative Tools\Terminal Services\TS Gateway Manager.  Right-click on the SBS server name and choose Properties.  On the SSL Certificate tab, click on Browse Certificates… and select the appropriate certificate.


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Thanks Mark! You rock once again. :-)


  • Do you know of a way of changing the CN on before issuing? as during the mirgration from 2003 to 2008 we are now left with & this means my mobile device will not communicate with the server as the server is sending out and the certificate is issued as

  • Hi Scotty,

    Either you need to update your public DNS records to point to the domain name that you want to use, or you need to issue a new certificate with the correct name. Run the Internet Address Management Wizard and change your public domain name (if you are using a partner registrar, your public DNS records will be updated by the wizard):

    If you are currently using a 3rd party trusted certificate, then you will need to run the Add Trusted Certificate Wizard next:

  • I can't get the right certificate to be used for IMAP and POP3...

    The certificate was normally available in the certificate wizard, but I enabled IMAP+POP3 after running that wizard.

    It always comes with a certificate signed by the <company>-<server>-CA

    Output of Enable-ExchangeCertificate :

    [PS] C:\Windows\System32>Enable-ExchangeCertificate -Thumbprint A8AFA66409E84FC

    977E13F31DA4C865B94E7F86 -Services "POP, IMAP, IIS, SMTP"

    WARNING: This certificate will not be used for external TLS connections with an

    FQDN of '' because the CA-signed certificate with

    thumbprint 'D02EFE51B7A2AE52DC0EC8D398782212D4454F88' takes precedence. The

    following connectors match that FQDN: Windows SBS Internet Receive SBS.


    Overwrite existing default SMTP certificate,

    'D02EFE51B7A2AE52DC0EC8D398782212D4454F88' (expires 1/5/2012 11:16:03 PM), with

    certificate 'A8AFA66409E84FC7977E13F31DA4C865B94E7F86' (expires 3/5/2012

    12:59:59 AM)?

    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help

    Thumbprint                                Services   Subject

    ----------                                --------   -------

    D02EFE51B7A2AE52DC0EC8D398782212D4454F88  IP..S

    1F08FB4FFF4BC9F1C83A991E1B006AC19502AB98  .....      CN=WMSvc-WIN-89FFDODTUY0

    F2334F168571E4BB1EEEBFE36C01FD6178301D4C  ....S      CN=SBS.domain.local

    4E4B32683943603B2B0D30F7ADA72D54DF81227D  ....S      CN=Sites

    07298E0B98C552E82FCA2A3E313FAFFFA990ADAB  .....      CN=domain-SBS-CA

    A8AFA66409E84FC7977E13F31DA4C865B94E7F86  IP.WS,...

    What am I doing wrong here ?

    Note that the last Thumbprint is my bought certificate, signed by Thawte.

  • I have installed SBS2008 in my compagny.  When I try to start an RWW session, I get an error, saying the adress isn't correct.  I have the following situation:

    My website is hosted by my ISP, so in the Internetadress wizard of SBS I entered as my internetadress.  SBS doesn't have to configure my website.

    The SBS2008 is connected with internet via an Dynamic IP adres (normal ADSL line).

    I use Dyndns (adress to follow my server's internet IP adress.  So, when I try to connect to the network, I type the following adress:

    The name on the certificate is

    Can I enter "" as an alternative name in the certificate, or is there a simple work-around?


  • Hi Wouter de Jong,

    You are not selecting "Yes" or "Yes to All" when presented with the task of overwriting the existing certificate that was created by the internal CA.  Only until you do this will your Thawte certificate be bound to IIS, SMTP, POP, and IMAP.

  • Hi Mark VHB,

    To do this properly, you should run the IAMW again and choose a prefix such as mail or remote instead of local. Then register your records under the zone.