IIS 7 and Above
Certificate button not present on the Access tab of the default SMTP...
Last post Sep 22, 2011 03:56 PM by Liface
Feb 15, 2009 11:20 AM|technomania|LINK
I am trying to setup the certificate for TLS for default SMTP virtual server in IIS 6.0 Manager of Windows Server 2008.
But there is no Certificate button on the Access tab to launch the Certificate Wizard as I seen accross numerous example instructions for configuring this in original IIS 6.0 for Windows Server 2003 and 2000 default SMTP Virtual Server.
When I go to the Secure Communication section on the Access tab I get "TLS is not available without a certificate." as pictured below.
I'm stumped on what to do here. I've wasted hours created a self-signed CA certificate using OpenSSL and configured it to the Server Certificates feature in the IIS 7.0 Manager only to discover that the SSL there is completely unrelated to the SSL used
by the SMTP.
Is securing the IIS 6.0 default SMTP for TLS communication not possible in IIS 7? I haven't found any information related to that message I got above.
Sep 23, 2009 12:23 PM|JDM11|LINK
Did you ever resolve this? We are trying to set this up too but can't figure out how to do it.
Sep 23, 2009 08:58 PM|qbernard|LINK
Sep 25, 2009 03:44 PM|serverintellect_BM|LINK
When the IIS6 SMTP Server module looks for a certificate to use for TLS encryption, it seems checks the 'Local_Machine\my' store. I'm not sure where the OpenSSL certificate was placed by the system, but if it's not in the Personal certificates section, then
the SMTP server won't be able to find it, and will therefore provide the error listed here.
If you have IIS7 installed on this server, the easiest way to go about securing this would be to select the 'Server' node in the IIS7 manager, select 'Certificates', and 'Create a self-signed certificate...' This will place a copy of the certificate in
both the 'Local_Machine\my' store, as well as the Trusted Roots store.
I ran through a quick test of this: clearing out the Personal store provided the error mentioned above, but reloading the 'Properties' of the SMTP server after creating the self-signed certificate through IIS showed the certificate present, and allowed
it to be secured.
Hope this helps!
Note: To check what's in a given certificate store, load up MMC (mmc.exe in the 'Run' box), under 'File', select 'Add/Remove Snap-in'. Under the snap-in list, select 'Certificates', and then choose Local Machine. Once back at the MMC listing, under certificates,
you can check 'Personal\Certificates' to see its content.
Sep 22, 2011 03:56 PM|Liface|LINK
Thank you, serverintellect_BM.
One aspect not mentioned in the post is that you must restart IIS for the certificate to be found in the SMTP properties. After you do that, you get the message "A TLS certificate is found with expiration date: ".