Exchange 2007 not recognising CA certificate for pop or imap

Got some issues in getting exchange 2007 to allow CA certs to be used with certain services. Self signed certs created on the server run fine with the services in question, pop and imap. Using the shell command to generate a request and import the certificate works fine. Enabling for the services, no errors. The certificate appears correctly in iis7 and with the command get-exchangecertificate. I add the x.509 name of the certificate to the properties of IMAP or POP but it get this error in event viewer and any pop or imap connections are denied:

The POP service failed to connect using SSL or TLS encryption.  A valid certificate is not configured to respond to SSL/TLS connections.  Check the configured hostname as well as which certificates are installed in the Personal Certificates store of the Computer.

If I do the same process, using a self-signed created in shell, the connection works fine.
Outlook anywhere works fine as does owa with a certificate from the CA. I created another one from the CA just to elminate errors but the same thing occurs. Prompt help welcomed with open arms!
CreativemindsAsked:
Who is Participating?
 
CreativemindsConnect With a Mentor Author Commented:
Well, found the issue after going through the full process of installing the CA certificate. Turns out the CA gave me the wrong internediate certificate! Thanks for your help. Always the simplest of answers that are the best.
0
 
MegazzillaCommented:
I hope this checklist will help you ("How to use SSL Certificates with Exchange 2007"):

http://www.sslshopper.com/article-how-to-use-ssl-certificates-with-exchange-2007.html
0
 
MesthaCommented:
If you run get-exchangecertificate, are POP (P) and IMAP (I) enabled for your commercial certificate?

Should look something like this:

DXXXXXXXXXXXXXXXXXXXXXXXXXXX  IPUWS      CN=mail.example.com, OU

-M
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
CreativemindsAuthor Commented:
Thanks Megazilla, I followed something the same as that.

Mestha, yes the services are enabled.
0
 
MesthaCommented:
Have you tried disabling the services for that certificate and then changing the name on the IMAP/POP setting. Then restart the MS Exchange transport service. Then change it back?

-M
0
 
CreativemindsAuthor Commented:
Will try that now.Does it matter if the pop/imap services are enabled on more than one certificate? Currently have 2 certs from CAs. The original one that has multi SANs and the one that I created today to troubleshoot. So, get-exchangecertificate looks like:

Thumbprint                                Services   Subject
----------                                --------   -------
6F5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4E8FB8D2  IP...      CN=mail.domain.co....
2C0xxxxxxxxxxxxxxxxxxxxxxxxxxxxx2BFE96B47  IP.WS      CN=www.kdomain.co.u...
0
 
MesthaCommented:
It may well be causing a problem and I would certainly look to disable those services and then restart Transport Service.

-M
0
 
CreativemindsAuthor Commented:
Found this in the event viewer on the server:

Microsoft Exchange couldn't find a certificate that contains the domain name mail.domain.co.uk in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default MAIL with a FQDN parameter of mail.domain.co.uk. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

The Outlook Web Access and Outlook Anywhere ssl works without issue for the assigned certificate
0
 
CreativemindsAuthor Commented:
Ok, removed those services, changed the pop3 and imap properties restarted the Transport service. Put the settings back. Same result.
0
 
MesthaCommented:
Last time I saw this I had to remove all of the certificates using Certificates MMC, then restart the Exchange server. Exchange should then generate its own certificate (as you cannot run Exchange 2007 without some kind of SSL certificate). I was then able to put the certificate back in again. It was messy and I never really found what the original problem was. I suspected the certificate store had an issue.

-M
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.