?
Solved

Exchange 2007 not recognising CA certificate for pop or imap

Posted on 2009-02-19
10
Medium Priority
?
1,627 Views
Last Modified: 2012-05-06
Got some issues in getting exchange 2007 to allow CA certs to be used with certain services. Self signed certs created on the server run fine with the services in question, pop and imap. Using the shell command to generate a request and import the certificate works fine. Enabling for the services, no errors. The certificate appears correctly in iis7 and with the command get-exchangecertificate. I add the x.509 name of the certificate to the properties of IMAP or POP but it get this error in event viewer and any pop or imap connections are denied:

The POP service failed to connect using SSL or TLS encryption.  A valid certificate is not configured to respond to SSL/TLS connections.  Check the configured hostname as well as which certificates are installed in the Personal Certificates store of the Computer.

If I do the same process, using a self-signed created in shell, the connection works fine.
Outlook anywhere works fine as does owa with a certificate from the CA. I created another one from the CA just to elminate errors but the same thing occurs. Prompt help welcomed with open arms!
0
Comment
Question by:Creativeminds
  • 5
  • 4
10 Comments
 

Expert Comment

by:Megazzilla
ID: 23683013
I hope this checklist will help you ("How to use SSL Certificates with Exchange 2007"):

http://www.sslshopper.com/article-how-to-use-ssl-certificates-with-exchange-2007.html
0
 
LVL 65

Expert Comment

by:Mestha
ID: 23683271
If you run get-exchangecertificate, are POP (P) and IMAP (I) enabled for your commercial certificate?

Should look something like this:

DXXXXXXXXXXXXXXXXXXXXXXXXXXX  IPUWS      CN=mail.example.com, OU

-M
0
 

Author Comment

by:Creativeminds
ID: 23683318
Thanks Megazilla, I followed something the same as that.

Mestha, yes the services are enabled.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
LVL 65

Expert Comment

by:Mestha
ID: 23683380
Have you tried disabling the services for that certificate and then changing the name on the IMAP/POP setting. Then restart the MS Exchange transport service. Then change it back?

-M
0
 

Author Comment

by:Creativeminds
ID: 23684435
Will try that now.Does it matter if the pop/imap services are enabled on more than one certificate? Currently have 2 certs from CAs. The original one that has multi SANs and the one that I created today to troubleshoot. So, get-exchangecertificate looks like:

Thumbprint                                Services   Subject
----------                                --------   -------
6F5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4E8FB8D2  IP...      CN=mail.domain.co....
2C0xxxxxxxxxxxxxxxxxxxxxxxxxxxxx2BFE96B47  IP.WS      CN=www.kdomain.co.u...
0
 
LVL 65

Expert Comment

by:Mestha
ID: 23684720
It may well be causing a problem and I would certainly look to disable those services and then restart Transport Service.

-M
0
 

Author Comment

by:Creativeminds
ID: 23684835
Found this in the event viewer on the server:

Microsoft Exchange couldn't find a certificate that contains the domain name mail.domain.co.uk in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default MAIL with a FQDN parameter of mail.domain.co.uk. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

The Outlook Web Access and Outlook Anywhere ssl works without issue for the assigned certificate
0
 

Author Comment

by:Creativeminds
ID: 23684979
Ok, removed those services, changed the pop3 and imap properties restarted the Transport service. Put the settings back. Same result.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 23694034
Last time I saw this I had to remove all of the certificates using Certificates MMC, then restart the Exchange server. Exchange should then generate its own certificate (as you cannot run Exchange 2007 without some kind of SSL certificate). I was then able to put the certificate back in again. It was messy and I never really found what the original problem was. I suspected the certificate store had an issue.

-M
0
 

Accepted Solution

by:
Creativeminds earned 0 total points
ID: 23706059
Well, found the issue after going through the full process of installing the CA certificate. Turns out the CA gave me the wrong internediate certificate! Thanks for your help. Always the simplest of answers that are the best.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses
Course of the Month14 days, 13 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question