Solved

Exchange 2013 and Wildcart Certificate

Posted on 2013-12-03
20
5,714 Views
Last Modified: 2016-10-24
Hello,

In my Exchange 2013 Installation i want to enable POPS and IMAPS for secure communications between clients and server,

I have import a wildcart certificate . I use this for autodiscover and OWA and it plays perfect.

When i try to enable the certificate for IMAP and POP i take the error ,

This certificate with thumbprint FFED997A46629A5BF6F802C9AB22CE5134ED7E82 and subject '*.domain.net' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

I want to use mail.domain.net for hostnames for pop and imap so i go to servers and i set the fqdn of the x509 certificate mail.domain.net .  I then try again to enable the certificate for imap and pop but i take the same error.

Any ideas ?


Thanks
0
Comment
Question by:Anestis Psomas
  • 8
  • 8
  • 2
  • +2
20 Comments
 
LVL 15

Expert Comment

by:jerseysam
ID: 39692408
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39692409
0
 
LVL 9

Expert Comment

by:Sean
ID: 39692414
Once you import your cert you will need to set the pop and imap settings in shell

what you need to do is open exchange management shell and enter these commands

set-POPSettings -X509CertificateName mail.domain.com
set-IMAPSettings -X509CertificateName mail.domain.com

obviously you need to change the mail.domain.com part to your domain but this will bind your cert if you get any errors please let me know.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:Anestis Psomas
ID: 39692419
Hello to all ,

I have already run the Set-Pop and Set Imap for the X509 Certificate for mail.domain.com

But still its not working after i try to bind the certificate to the services because as i said i have a wildcard certificate *.domain.com and when im trying to bind the certificate i take the same error about the subject is not a fully qualified domain name.
0
 
LVL 9

Expert Comment

by:Sean
ID: 39692422
You will not need to bind it that way, the only thing you need to do is use the set-pop command. It will always fail if you try to use the enable-cert command for pop and imap.
0
 

Author Comment

by:Anestis Psomas
ID: 39692492
Ok so i have use only the set-pop and set-imap . I restart Services in all my servers. When i try to connect it connects successfully but i take a security warning about the certificate that is not trusted because it gives me the internal certificate of the server and not the certificate from godaddy.

Any ideas ?
0
 
LVL 9

Expert Comment

by:Sean
ID: 39692503
try this:
    Enable-ExchangeCertificate -Thumbprint XXXXXXXXXX -Services POP,IMAP,IIS
    Set-ImapSettings -server CAS01 -X509CertificateName imap.domain.com
    Set-PopSettings -server CAS01 -X509CertificateName pop.domain.com
    Restart the POP and IMAP services
0
 

Author Comment

by:Anestis Psomas
ID: 39692623
Still the same problem .
0
 

Author Comment

by:Anestis Psomas
ID: 39692703
Do i need to import the certificate also in my Load Balancer ?
0
 
LVL 9

Expert Comment

by:Sean
ID: 39692762
No the load balancer does not do any authentication normally. When you get the security warning it should show what cert it is pulling and what server its getting it from. if you have more than one cas server have you done the commands with both cas servers set?
0
 

Author Comment

by:Anestis Psomas
ID: 39692776
Hello ,

I have run the commands in both my servers. Also i restart them just to be sure.

The security warning shows my CAS01 and just to be sure i drop it from Load Balancer but i take the same warning from CAS02 . This is so strange....
0
 
LVL 9

Expert Comment

by:Sean
ID: 39692794
can you do a Get-ExchangeCertificate and make sure that your new cert has pop and imap assigned to it?
0
 

Author Comment

by:Anestis Psomas
ID: 39692852
Hi ,

But we told we cannot assign the certificate because its wildcard . We only set-pop and set-imap for the X509Certificatename . If i try to assign i take error

WARNING: This certificate with thumbprint FFED997A46629A5BF6F802C9AB22CE5134ED7E82 and subject '*.domain.net'
cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
Set-POPSettings to set X509CertificateName to the FQDN of the service.


Before some posts you write " You will not need to bind it that way, the only thing you need to do is use the set-pop command. It will always fail if you try to use the enable-cert command for pop and imap.  "


Thanks for your help
0
 
LVL 9

Expert Comment

by:Sean
ID: 39692931
Sorry you are correct, im still stuck on 2010 :) with it wont work that way. Did you restart the pop and imap services after you did the set-pop and set-imap?
0
 

Author Comment

by:Anestis Psomas
ID: 39692939
No problem !

I have restarted yes. Also i restart all Servers. But still it gives me the internal certificate.
0
 
LVL 9

Accepted Solution

by:
Sean earned 500 total points
ID: 39692960
hum the only thing i can think of is to remove the self signed cert just to get it out of the way...otherwise the steps i have been suggesting has always worked for me.
1
 

Author Comment

by:Anestis Psomas
ID: 39693289
I delete it and now it plays perfect !! Very strange !! Do i need to recreate the self signed certificate? Is the Self sign certificate used for something ?


Thanks
0
 
LVL 9

Expert Comment

by:Sean
ID: 39693298
No you don't need a self signed cert if you pay for one so it has not use anymore.
0
 
LVL 1

Expert Comment

by:BitTrekker
ID: 40764707
Hey, great work guys, deleting the self signed cert worked for me too, I was pulling my hair out!!! :))))
0
 

Expert Comment

by:Dani Saku
ID: 41856996
Had the same problem - deleting self-signed cert worked for me too!
Thanks!
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question