Replacing certificate on Exchange 2010 with wildcard cert
We've had our Exchange 2010 server up for about two years now, and our UCC cert is expiring. I purchased a wildcard cert to start using for all our cert needs. I'm having a few issues.
1. I'm confused by which certificate is used for what. I attached part of the output from the get-exchangecertificates command. How are there 4 certificates assigned to SMTP? How are there two assigned to POP and IMAP? I would think you could only have one show up at a time for each service?
2. When I try to assign the new wildcard cert to all the services, it asks me if I want to enforce SSL on the IIS root, but we do redirect for http, so I would expect I should answer no to that? I select no, and then I get this error (I replaced our actual server, domain and thumbprints):
Warning:
This certificate will not be used for external TLS connections with an FQDN of 'servername.com because the CA-signed certificate with thumbprint 'xxxx' takes precedence. The following receive/send connectors match that FQDN: Default servername, Client servername.
Warning:
This certificate with thumbprint xxxx and subject '*.domainname.com' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.
Warning:
This certificate with thumbprint xxxx and subject '*.domainname.com' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
Exchange Management Shell command completed:
Enable-ExchangeCertificate
I'm somewhat lost here.
exchange.JPG
1. I'm confused by which certificate is used for what. I attached part of the output from the get-exchangecertificates command. How are there 4 certificates assigned to SMTP? How are there two assigned to POP and IMAP? I would think you could only have one show up at a time for each service?
2. When I try to assign the new wildcard cert to all the services, it asks me if I want to enforce SSL on the IIS root, but we do redirect for http, so I would expect I should answer no to that? I select no, and then I get this error (I replaced our actual server, domain and thumbprints):
Warning:
This certificate will not be used for external TLS connections with an FQDN of 'servername.com because the CA-signed certificate with thumbprint 'xxxx' takes precedence. The following receive/send connectors match that FQDN: Default servername, Client servername.
Warning:
This certificate with thumbprint xxxx and subject '*.domainname.com' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.
Warning:
This certificate with thumbprint xxxx and subject '*.domainname.com' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
Exchange Management Shell command completed:
Enable-ExchangeCertificate
I'm somewhat lost here.
exchange.JPG
Minoru7
Have you installed the Root and Intermediate certificates on Exchange? When looking at the cert in the EMC > Server Configuration, does the cert show that it has been enabled? It'll be obvious because the cert will show with a red X icon otherwise.
Also, take a look at this thread: http://www.tek-tips.com/viewthread.cfm?qid=1592975.
This may be helpful too: http://forums.comodo.com/email-certificate/exchange-2010-wildcard-cert-t54057.0.html.
ASKER
The wildcard provider is the same cert provider as our UCC cert and all the chain is in place and valid.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How can the different services show up on multiple certs? I have four different certs that claim they are attached to the SMTP service, and two certs claiming they are on the IMAP and POP service?
When it asks me about if I want to enforce SSL on the IIS root, i assume I should select no since I do HTTP redirect? If I chose no, I think it wants me to do it manually with commands rather than use the GUI.
When it asks me about if I want to enforce SSL on the IIS root, i assume I should select no since I do HTTP redirect? If I chose no, I think it wants me to do it manually with commands rather than use the GUI.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
And you will also need to change outlook anywhere settings:
http://www.windowsinfo.eu/?p=236
http://www.windowsinfo.eu/?p=236
ASKER
I called Digicert and told them I want to dump the wildcard cert and go back to UC cert. They gave me a UC cert with 10 SANs, which pricewise is about the same cost as what we paid for the wildcard cert, and they also let us keep the wildcard cert as well. I'm just going to go with the UC cert for OCS and Exchange and leave the wildcard cert in place for some of the other things we've set it up for.
thx for feedback.
no problem, ill take the points thanks.