Solved

Exchange 2013 and Wildcart Certificate

Posted on 2013-12-03
20
5,379 Views
Last Modified: 2016-10-24
Hello,

In my Exchange 2013 Installation i want to enable POPS and IMAPS for secure communications between clients and server,

I have import a wildcart certificate . I use this for autodiscover and OWA and it plays perfect.

When i try to enable the certificate for IMAP and POP i take the error ,

This certificate with thumbprint FFED997A46629A5BF6F802C9AB22CE5134ED7E82 and subject '*.domain.net' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

I want to use mail.domain.net for hostnames for pop and imap so i go to servers and i set the fqdn of the x509 certificate mail.domain.net .  I then try again to enable the certificate for imap and pop but i take the same error.

Any ideas ?


Thanks
0
Comment
Question by:Anestis Psomas
  • 8
  • 8
  • 2
  • +2
20 Comments
 
LVL 15

Expert Comment

by:jerseysam
ID: 39692408
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39692409
0
 
LVL 9

Expert Comment

by:Sean
ID: 39692414
Once you import your cert you will need to set the pop and imap settings in shell

what you need to do is open exchange management shell and enter these commands

set-POPSettings -X509CertificateName mail.domain.com
set-IMAPSettings -X509CertificateName mail.domain.com

obviously you need to change the mail.domain.com part to your domain but this will bind your cert if you get any errors please let me know.
0
 

Author Comment

by:Anestis Psomas
ID: 39692419
Hello to all ,

I have already run the Set-Pop and Set Imap for the X509 Certificate for mail.domain.com

But still its not working after i try to bind the certificate to the services because as i said i have a wildcard certificate *.domain.com and when im trying to bind the certificate i take the same error about the subject is not a fully qualified domain name.
0
 
LVL 9

Expert Comment

by:Sean
ID: 39692422
You will not need to bind it that way, the only thing you need to do is use the set-pop command. It will always fail if you try to use the enable-cert command for pop and imap.
0
 

Author Comment

by:Anestis Psomas
ID: 39692492
Ok so i have use only the set-pop and set-imap . I restart Services in all my servers. When i try to connect it connects successfully but i take a security warning about the certificate that is not trusted because it gives me the internal certificate of the server and not the certificate from godaddy.

Any ideas ?
0
 
LVL 9

Expert Comment

by:Sean
ID: 39692503
try this:
    Enable-ExchangeCertificate -Thumbprint XXXXXXXXXX -Services POP,IMAP,IIS
    Set-ImapSettings -server CAS01 -X509CertificateName imap.domain.com
    Set-PopSettings -server CAS01 -X509CertificateName pop.domain.com
    Restart the POP and IMAP services
0
 

Author Comment

by:Anestis Psomas
ID: 39692623
Still the same problem .
0
 

Author Comment

by:Anestis Psomas
ID: 39692703
Do i need to import the certificate also in my Load Balancer ?
0
 
LVL 9

Expert Comment

by:Sean
ID: 39692762
No the load balancer does not do any authentication normally. When you get the security warning it should show what cert it is pulling and what server its getting it from. if you have more than one cas server have you done the commands with both cas servers set?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:Anestis Psomas
ID: 39692776
Hello ,

I have run the commands in both my servers. Also i restart them just to be sure.

The security warning shows my CAS01 and just to be sure i drop it from Load Balancer but i take the same warning from CAS02 . This is so strange....
0
 
LVL 9

Expert Comment

by:Sean
ID: 39692794
can you do a Get-ExchangeCertificate and make sure that your new cert has pop and imap assigned to it?
0
 

Author Comment

by:Anestis Psomas
ID: 39692852
Hi ,

But we told we cannot assign the certificate because its wildcard . We only set-pop and set-imap for the X509Certificatename . If i try to assign i take error

WARNING: This certificate with thumbprint FFED997A46629A5BF6F802C9AB22CE5134ED7E82 and subject '*.domain.net'
cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
Set-POPSettings to set X509CertificateName to the FQDN of the service.


Before some posts you write " You will not need to bind it that way, the only thing you need to do is use the set-pop command. It will always fail if you try to use the enable-cert command for pop and imap.  "


Thanks for your help
0
 
LVL 9

Expert Comment

by:Sean
ID: 39692931
Sorry you are correct, im still stuck on 2010 :) with it wont work that way. Did you restart the pop and imap services after you did the set-pop and set-imap?
0
 

Author Comment

by:Anestis Psomas
ID: 39692939
No problem !

I have restarted yes. Also i restart all Servers. But still it gives me the internal certificate.
0
 
LVL 9

Accepted Solution

by:
Sean earned 500 total points
ID: 39692960
hum the only thing i can think of is to remove the self signed cert just to get it out of the way...otherwise the steps i have been suggesting has always worked for me.
1
 

Author Comment

by:Anestis Psomas
ID: 39693289
I delete it and now it plays perfect !! Very strange !! Do i need to recreate the self signed certificate? Is the Self sign certificate used for something ?


Thanks
0
 
LVL 9

Expert Comment

by:Sean
ID: 39693298
No you don't need a self signed cert if you pay for one so it has not use anymore.
0
 
LVL 1

Expert Comment

by:BitTrekker
ID: 40764707
Hey, great work guys, deleting the self signed cert worked for me too, I was pulling my hair out!!! :))))
0
 

Expert Comment

by:Dani Saku
ID: 41856996
Had the same problem - deleting self-signed cert worked for me too!
Thanks!
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now