Anestis Psomas
asked on
Exchange 2013 and Wildcart Certificate
Hello,
In my Exchange 2013 Installation i want to enable POPS and IMAPS for secure communications between clients and server,
I have import a wildcart certificate . I use this for autodiscover and OWA and it plays perfect.
When i try to enable the certificate for IMAP and POP i take the error ,
This certificate with thumbprint FFED997A46629A5BF6F802C9AB 22CE5134ED 7E82 and subject '*.domain.net' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
I want to use mail.domain.net for hostnames for pop and imap so i go to servers and i set the fqdn of the x509 certificate mail.domain.net . I then try again to enable the certificate for imap and pop but i take the same error.
Any ideas ?
Thanks
In my Exchange 2013 Installation i want to enable POPS and IMAPS for secure communications between clients and server,
I have import a wildcart certificate . I use this for autodiscover and OWA and it plays perfect.
When i try to enable the certificate for IMAP and POP i take the error ,
This certificate with thumbprint FFED997A46629A5BF6F802C9AB
I want to use mail.domain.net for hostnames for pop and imap so i go to servers and i set the fqdn of the x509 certificate mail.domain.net . I then try again to enable the certificate for imap and pop but i take the same error.
Any ideas ?
Thanks
Once you import your cert you will need to set the pop and imap settings in shell
what you need to do is open exchange management shell and enter these commands
set-POPSettings -X509CertificateName mail.domain.com
set-IMAPSettings -X509CertificateName mail.domain.com
obviously you need to change the mail.domain.com part to your domain but this will bind your cert if you get any errors please let me know.
what you need to do is open exchange management shell and enter these commands
set-POPSettings -X509CertificateName mail.domain.com
set-IMAPSettings -X509CertificateName mail.domain.com
obviously you need to change the mail.domain.com part to your domain but this will bind your cert if you get any errors please let me know.
ASKER
Hello to all ,
I have already run the Set-Pop and Set Imap for the X509 Certificate for mail.domain.com
But still its not working after i try to bind the certificate to the services because as i said i have a wildcard certificate *.domain.com and when im trying to bind the certificate i take the same error about the subject is not a fully qualified domain name.
I have already run the Set-Pop and Set Imap for the X509 Certificate for mail.domain.com
But still its not working after i try to bind the certificate to the services because as i said i have a wildcard certificate *.domain.com and when im trying to bind the certificate i take the same error about the subject is not a fully qualified domain name.
You will not need to bind it that way, the only thing you need to do is use the set-pop command. It will always fail if you try to use the enable-cert command for pop and imap.
ASKER
Ok so i have use only the set-pop and set-imap . I restart Services in all my servers. When i try to connect it connects successfully but i take a security warning about the certificate that is not trusted because it gives me the internal certificate of the server and not the certificate from godaddy.
Any ideas ?
Any ideas ?
try this:
Enable-ExchangeCertificate -Thumbprint XXXXXXXXXX -Services POP,IMAP,IIS
Set-ImapSettings -server CAS01 -X509CertificateName imap.domain.com
Set-PopSettings -server CAS01 -X509CertificateName pop.domain.com
Restart the POP and IMAP services
Enable-ExchangeCertificate
Set-ImapSettings -server CAS01 -X509CertificateName imap.domain.com
Set-PopSettings -server CAS01 -X509CertificateName pop.domain.com
Restart the POP and IMAP services
ASKER
Still the same problem .
ASKER
Do i need to import the certificate also in my Load Balancer ?
No the load balancer does not do any authentication normally. When you get the security warning it should show what cert it is pulling and what server its getting it from. if you have more than one cas server have you done the commands with both cas servers set?
ASKER
Hello ,
I have run the commands in both my servers. Also i restart them just to be sure.
The security warning shows my CAS01 and just to be sure i drop it from Load Balancer but i take the same warning from CAS02 . This is so strange....
I have run the commands in both my servers. Also i restart them just to be sure.
The security warning shows my CAS01 and just to be sure i drop it from Load Balancer but i take the same warning from CAS02 . This is so strange....
can you do a Get-ExchangeCertificate and make sure that your new cert has pop and imap assigned to it?
ASKER
Hi ,
But we told we cannot assign the certificate because its wildcard . We only set-pop and set-imap for the X509Certificatename . If i try to assign i take error
WARNING: This certificate with thumbprint FFED997A46629A5BF6F802C9AB 22CE5134ED 7E82 and subject '*.domain.net'
cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
Set-POPSettings to set X509CertificateName to the FQDN of the service.
Before some posts you write " You will not need to bind it that way, the only thing you need to do is use the set-pop command. It will always fail if you try to use the enable-cert command for pop and imap. "
Thanks for your help
But we told we cannot assign the certificate because its wildcard . We only set-pop and set-imap for the X509Certificatename . If i try to assign i take error
WARNING: This certificate with thumbprint FFED997A46629A5BF6F802C9AB
cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
Set-POPSettings to set X509CertificateName to the FQDN of the service.
Before some posts you write " You will not need to bind it that way, the only thing you need to do is use the set-pop command. It will always fail if you try to use the enable-cert command for pop and imap. "
Thanks for your help
Sorry you are correct, im still stuck on 2010 :) with it wont work that way. Did you restart the pop and imap services after you did the set-pop and set-imap?
ASKER
No problem !
I have restarted yes. Also i restart all Servers. But still it gives me the internal certificate.
I have restarted yes. Also i restart all Servers. But still it gives me the internal certificate.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I delete it and now it plays perfect !! Very strange !! Do i need to recreate the self signed certificate? Is the Self sign certificate used for something ?
Thanks
Thanks
No you don't need a self signed cert if you pay for one so it has not use anymore.
Hey, great work guys, deleting the self signed cert worked for me too, I was pulling my hair out!!! :))))
Had the same problem - deleting self-signed cert worked for me too!
Thanks!
Thanks!
http://exchangeserverpro.com/exchange-2013-assign-ssl-certificate-to-services/