[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7432
  • Last Modified:

Exchange 2013 and Wildcart Certificate

Hello,

In my Exchange 2013 Installation i want to enable POPS and IMAPS for secure communications between clients and server,

I have import a wildcart certificate . I use this for autodiscover and OWA and it plays perfect.

When i try to enable the certificate for IMAP and POP i take the error ,

This certificate with thumbprint FFED997A46629A5BF6F802C9AB22CE5134ED7E82 and subject '*.domain.net' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

I want to use mail.domain.net for hostnames for pop and imap so i go to servers and i set the fqdn of the x509 certificate mail.domain.net .  I then try again to enable the certificate for imap and pop but i take the same error.

Any ideas ?


Thanks
0
Anestis Psomas
Asked:
Anestis Psomas
  • 8
  • 8
  • 2
  • +2
1 Solution
 
jerseysamCommented:
0
 
SeanSystem EngineerCommented:
Once you import your cert you will need to set the pop and imap settings in shell

what you need to do is open exchange management shell and enter these commands

set-POPSettings -X509CertificateName mail.domain.com
set-IMAPSettings -X509CertificateName mail.domain.com

obviously you need to change the mail.domain.com part to your domain but this will bind your cert if you get any errors please let me know.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Anestis PsomasAuthor Commented:
Hello to all ,

I have already run the Set-Pop and Set Imap for the X509 Certificate for mail.domain.com

But still its not working after i try to bind the certificate to the services because as i said i have a wildcard certificate *.domain.com and when im trying to bind the certificate i take the same error about the subject is not a fully qualified domain name.
0
 
SeanSystem EngineerCommented:
You will not need to bind it that way, the only thing you need to do is use the set-pop command. It will always fail if you try to use the enable-cert command for pop and imap.
0
 
Anestis PsomasAuthor Commented:
Ok so i have use only the set-pop and set-imap . I restart Services in all my servers. When i try to connect it connects successfully but i take a security warning about the certificate that is not trusted because it gives me the internal certificate of the server and not the certificate from godaddy.

Any ideas ?
0
 
SeanSystem EngineerCommented:
try this:
    Enable-ExchangeCertificate -Thumbprint XXXXXXXXXX -Services POP,IMAP,IIS
    Set-ImapSettings -server CAS01 -X509CertificateName imap.domain.com
    Set-PopSettings -server CAS01 -X509CertificateName pop.domain.com
    Restart the POP and IMAP services
0
 
Anestis PsomasAuthor Commented:
Still the same problem .
0
 
Anestis PsomasAuthor Commented:
Do i need to import the certificate also in my Load Balancer ?
0
 
SeanSystem EngineerCommented:
No the load balancer does not do any authentication normally. When you get the security warning it should show what cert it is pulling and what server its getting it from. if you have more than one cas server have you done the commands with both cas servers set?
0
 
Anestis PsomasAuthor Commented:
Hello ,

I have run the commands in both my servers. Also i restart them just to be sure.

The security warning shows my CAS01 and just to be sure i drop it from Load Balancer but i take the same warning from CAS02 . This is so strange....
0
 
SeanSystem EngineerCommented:
can you do a Get-ExchangeCertificate and make sure that your new cert has pop and imap assigned to it?
0
 
Anestis PsomasAuthor Commented:
Hi ,

But we told we cannot assign the certificate because its wildcard . We only set-pop and set-imap for the X509Certificatename . If i try to assign i take error

WARNING: This certificate with thumbprint FFED997A46629A5BF6F802C9AB22CE5134ED7E82 and subject '*.domain.net'
cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
Set-POPSettings to set X509CertificateName to the FQDN of the service.


Before some posts you write " You will not need to bind it that way, the only thing you need to do is use the set-pop command. It will always fail if you try to use the enable-cert command for pop and imap.  "


Thanks for your help
0
 
SeanSystem EngineerCommented:
Sorry you are correct, im still stuck on 2010 :) with it wont work that way. Did you restart the pop and imap services after you did the set-pop and set-imap?
0
 
Anestis PsomasAuthor Commented:
No problem !

I have restarted yes. Also i restart all Servers. But still it gives me the internal certificate.
0
 
SeanSystem EngineerCommented:
hum the only thing i can think of is to remove the self signed cert just to get it out of the way...otherwise the steps i have been suggesting has always worked for me.
1
 
Anestis PsomasAuthor Commented:
I delete it and now it plays perfect !! Very strange !! Do i need to recreate the self signed certificate? Is the Self sign certificate used for something ?


Thanks
0
 
SeanSystem EngineerCommented:
No you don't need a self signed cert if you pay for one so it has not use anymore.
0
 
BitTrekkerCommented:
Hey, great work guys, deleting the self signed cert worked for me too, I was pulling my hair out!!! :))))
0
 
Dani SakuIT ConsultantCommented:
Had the same problem - deleting self-signed cert worked for me too!
Thanks!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 8
  • 8
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now