2012 r2 iis 8.0 smtp tls


Trying to figure out an odd problem. I have a Win 2012 R2 server with IIS 8.0 and have a WoSign SSL cert for SMTP TLS that is expiring. So I made a new Let’s Encrypt cert manually for the server.
Installed the cert, have the private key and the SMTP virtual server in IIS will not see it. The check box to require TLS is greyed out.
The cert is only 1 name. The Friendly name matches. I made sure the issued to name matches the FQDN under advanced settings in the SMTP Virtual server. I have the cert in the personal store, the trusted root store and even put it in the SMTP service personal key store. Nothing works. Tried exporting the cert to a brand new 2012 R2 server setup the same way. Nothing.

If I create a simple self-signed cert through IIS, sees it just fine.

Is it the 90 day issue that IIS doesn’t like? I have done a bunch of other certs and haven’t had a problem. Just this one with SMTP TLS is giving me trouble. I did try another SSL cert from another company that issues 90 day certs and it didn’t see that either.

Any ideas? Happy to provide additional info.


In IIS Manager verify that the FQDN matches the cert name:


Yes made sure it matches. Restarted IIS after. Copied and pasted the FQDN right out of the cert to make sure.

Do you see something like this?:
Even if so, does it have the right expiration date?

If not, run MMC.exe and move the LE cert into the computer account\personal\cert folder:
Then move the WoSign cert out of that folder.
Restart IIS and recheck.

I do not see that. It is greyed out. The WoSign cert is gone and so is the self signed cert. The only cert in the personal folder is the Let’s Encrypt cert and 2 certs that Veeam uses.SSL1

The grey means it can’t find a cert to match it’s FQDN.

That’s my problem. They match. There is something else going on in IIS.

I think you’re probably missing something obvious.
So, I would like to see it for myself.
As always: four eyes are better than two :slight_smile:

If you can, please show more details; like the MMC folder and FQDN name.

Agreed :slight_smile:


Does clicking the “Check DNS” button return “The domain name is valid.”?
Are you also running a web service?

Check DNS says the domain name is valid. No, just the SMTP service.

The only thing I can think is that maybe the cert is “incomplete”.
Try deleting it and then recreate the PFX file with the full chain.

No luck. The chain shows good.

I'd like to go over that process.
Please detail it as best you can.

Did you make sure the checkbox that says “Exportable” was checked when importing the certificate?

This is a common mistake: many people uncheck that box to prevent people from being able to retrieve the certificate and private key from Windows, but unfortunately it prevents IIS from retrieving it as well.

I think I may have it working. I need to step away for a bit, but I will come back and explain what I did differently.

I don’t think you got it working yet:

A. Ports 25, 465, 587, 993 are all closed from Internet.

B. I thought you said it wasn’t running a webserver?:

And which doesn’t even have an LE cert:

So, are you working on the server that is accessible form the Internet?

“Ports 25, 465, 587, 993 are all closed from Internet” Yes that is correct. I accept mail on non-standard ports from a mail filtering service. They send to me on port :xyz and I NAT to 25 internally.

The FQDN Silverthorne.telluridenetworks.com is strictly for SMTP TLS, but it shares its IP with mail.telluridenetworks.com which is what you are getting the IIS page for. Different beast and it works fine.

Ok that all makes sense.
I’m interested on how you got it working.

Okay, this will probably be long winded, but here it goes.

Originally I was creating the CSR from MMC, Certificates, Personal, right click, All Tasks, Advanced, Create Custom.
I would then choose Proceed without Enrollment Policy, click next. Choose No Template - Legacy Key.
Request format with PKCS #10. Click next. Click down arrow next to details. Click properties. Give it a friendly name on the general tab. Click on subject tab give it the Common Name, Locality etc. Go to private key tab and choose key options. Change key size to 2048 and mark the key as exportable. Click ok, click next. Give it a name and set it as a base 64 key.

Then I would go to https://www.zerossl.com and do the Free SSL wizard. Fill in email, let it generate the Let’s Encrypt key and choose DNS verification and paste the CSR. It would do the DNS check and give me the cert.

I would then import the cert into MMC Personal and then restart IIS. It would not be seen. I tried the same process with importing the cert only into IIS with the complete certificate request and still it would not be seen.

I then tired creating the CSR from IIS itself and went through the same process with zerossl.com and completed the cert process with IIS and it is now seen.

I am not sure what is happening in the CSR process that is different or if it is even the CSR process that is doing it. But creating it all in IIS seems to be the magic touch at least with an LE cert.

I have created certs using the create custom cert request before for IIS (not with an LE cert and not for SMTP TLS) and it worked just fine.