Exchange 2007 not recognising CA certificate for pop or imap
Got some issues in getting exchange 2007 to allow CA certs to be used with certain services. Self signed certs created on the server run fine with the services in question, pop and imap. Using the shell command to generate a request and import the certificate works fine. Enabling for the services, no errors. The certificate appears correctly in iis7 and with the command get-exchangecertificate. I add the x.509 name of the certificate to the properties of IMAP or POP but it get this error in event viewer and any pop or imap connections are denied:
The POP service failed to connect using SSL or TLS encryption. A valid certificate is not configured to respond to SSL/TLS connections. Check the configured hostname as well as which certificates are installed in the Personal Certificates store of the Computer.
If I do the same process, using a self-signed created in shell, the connection works fine.
Outlook anywhere works fine as does owa with a certificate from the CA. I created another one from the CA just to elminate errors but the same thing occurs. Prompt help welcomed with open arms!
The POP service failed to connect using SSL or TLS encryption. A valid certificate is not configured to respond to SSL/TLS connections. Check the configured hostname as well as which certificates are installed in the Personal Certificates store of the Computer.
If I do the same process, using a self-signed created in shell, the connection works fine.
Outlook anywhere works fine as does owa with a certificate from the CA. I created another one from the CA just to elminate errors but the same thing occurs. Prompt help welcomed with open arms!
If you run get-exchangecertificate, are POP (P) and IMAP (I) enabled for your commercial certificate?
Should look something like this:
DXXXXXXXXXXXXXXXXXXXXXXXXX
-M
Should look something like this:
DXXXXXXXXXXXXXXXXXXXXXXXXX
-M
ASKER
Thanks Megazilla, I followed something the same as that.
Mestha, yes the services are enabled.
Mestha, yes the services are enabled.
Have you tried disabling the services for that certificate and then changing the name on the IMAP/POP setting. Then restart the MS Exchange transport service. Then change it back?
-M
-M
ASKER
Will try that now.Does it matter if the pop/imap services are enabled on more than one certificate? Currently have 2 certs from CAs. The original one that has multi SANs and the one that I created today to troubleshoot. So, get-exchangecertificate looks like:
Thumbprint Services Subject
---------- -------- -------
6F5xxxxxxxxxxxxxxxxxxxxxxx
2C0xxxxxxxxxxxxxxxxxxxxxxx
Thumbprint Services Subject
---------- -------- -------
6F5xxxxxxxxxxxxxxxxxxxxxxx
2C0xxxxxxxxxxxxxxxxxxxxxxx
It may well be causing a problem and I would certainly look to disable those services and then restart Transport Service.
-M
-M
ASKER
Found this in the event viewer on the server:
Microsoft Exchange couldn't find a certificate that contains the domain name mail.domain.co.uk in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default MAIL with a FQDN parameter of mail.domain.co.uk. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate
The Outlook Web Access and Outlook Anywhere ssl works without issue for the assigned certificate
Microsoft Exchange couldn't find a certificate that contains the domain name mail.domain.co.uk in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default MAIL with a FQDN parameter of mail.domain.co.uk. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate
The Outlook Web Access and Outlook Anywhere ssl works without issue for the assigned certificate
ASKER
Ok, removed those services, changed the pop3 and imap properties restarted the Transport service. Put the settings back. Same result.
Last time I saw this I had to remove all of the certificates using Certificates MMC, then restart the Exchange server. Exchange should then generate its own certificate (as you cannot run Exchange 2007 without some kind of SSL certificate). I was then able to put the certificate back in again. It was messy and I never really found what the original problem was. I suspected the certificate store had an issue.
-M
-M
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.sslshopper.com/article-how-to-use-ssl-certificates-with-exchange-2007.html