Trying to figure out an odd problem. I have a Win 2012 R2 server with IIS 8.0 and have a WoSign SSL cert for SMTP TLS that is expiring. So I made a new Let’s Encrypt cert manually for the server.
Installed the cert, have the private key and the SMTP virtual server in IIS will not see it. The check box to require TLS is greyed out.
The cert is only 1 name. The Friendly name matches. I made sure the issued to name matches the FQDN under advanced settings in the SMTP Virtual server. I have the cert in the personal store, the trusted root store and even put it in the SMTP service personal key store. Nothing works. Tried exporting the cert to a brand new 2012 R2 server setup the same way. Nothing.
If I create a simple self-signed cert through IIS, sees it just fine.
Is it the 90 day issue that IIS doesn’t like? I have done a bunch of other certs and haven’t had a problem. Just this one with SMTP TLS is giving me trouble. I did try another SSL cert from another company that issues 90 day certs and it didn’t see that either.
Do you see something like this?:
Even if so, does it have the right expiration date?
If not, run MMC.exe and move the LE cert into the computer account\personal\cert folder:
Then move the WoSign cert out of that folder.
Restart IIS and recheck.
I do not see that. It is greyed out. The WoSign cert is gone and so is the self signed cert. The only cert in the personal folder is the Let’s Encrypt cert and 2 certs that Veeam uses.
Did you make sure the checkbox that says “Exportable” was checked when importing the certificate?
This is a common mistake: many people uncheck that box to prevent people from being able to retrieve the certificate and private key from Windows, but unfortunately it prevents IIS from retrieving it as well.
“Ports 25, 465, 587, 993 are all closed from Internet” Yes that is correct. I accept mail on non-standard ports from a mail filtering service. They send to me on port :xyz and I NAT to 25 internally.
Okay, this will probably be long winded, but here it goes.
Originally I was creating the CSR from MMC, Certificates, Personal, right click, All Tasks, Advanced, Create Custom.
I would then choose Proceed without Enrollment Policy, click next. Choose No Template - Legacy Key.
Request format with PKCS #10. Click next. Click down arrow next to details. Click properties. Give it a friendly name on the general tab. Click on subject tab give it the Common Name, Locality etc. Go to private key tab and choose key options. Change key size to 2048 and mark the key as exportable. Click ok, click next. Give it a name and set it as a base 64 key.
Then I would go to https://www.zerossl.com and do the Free SSL wizard. Fill in email, let it generate the Let’s Encrypt key and choose DNS verification and paste the CSR. It would do the DNS check and give me the cert.
I would then import the cert into MMC Personal and then restart IIS. It would not be seen. I tried the same process with importing the cert only into IIS with the complete certificate request and still it would not be seen.
I then tired creating the CSR from IIS itself and went through the same process with zerossl.com and completed the cert process with IIS and it is now seen.
I am not sure what is happening in the CSR process that is different or if it is even the CSR process that is doing it. But creating it all in IIS seems to be the magic touch at least with an LE cert.
I have created certs using the create custom cert request before for IIS (not with an LE cert and not for SMTP TLS) and it worked just fine.
