Solved

invalid certificate exchange 2013

Posted on 2014-11-27
16
32 Views
Last Modified: 2015-11-14
Hello Experts,
I am trying to set my wildcard certificate to work with my IMAP services as a secure ssl connection. The chain of my wildcard certificate is correct but the certificate is invalid on the ecp certificates. I have deleted the rest certificates according to the mentions on thread http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28308863.html and I have also tried to repair it by the serial number. It is still there as "invalid" (pic attached). Do you have any ideas on how to fix it? I am struggling on that for many hours...

PS: The certificate works just fine in IIS websites bindings.
Thank you.

invalid certificate exchange 2013
0
Comment
Question by:Dimitris_v
  • 9
  • 7
16 Comments
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 40470883
It would appear that using a wildcard certificate requires a different procedure to bind for IMAP than a regular certificate:
http://technet.microsoft.com/en-us/library/aa997231%28v=exchg.150%29.aspx
Don't use the Enable-ExchangeCertificate cmdlet to enable a wildcard certificate for POP and IMAP services. To enable a wildcard certificate, you must use the Set-ImapSettings or Set-PopSettings cmdlets with the fully qualified domain name (FQDN) of the service.
0
 

Author Comment

by:Dimitris_v
ID: 40471579
Hmm..
Thanks for the comment Razmus.
I thought to run the command below but it seems that something goes wrong.
 I get the results below.
____________________________
[PS] C:\Windows\system32>set-imapsettings -x509certificatename mail.xxxxx.net:993
The certificate with the subject 'mail.xxxxx.net:993' can't be used for SSL or TLS connections because the subject
isn't a valid fully qualified domain name (FQDN).
    + CategoryInfo          : NotSpecified: (myserver:ADObjectId) [Set-ImapSettings], DataValidationException
    + FullyQualifiedErrorId : [Server=myserver,RequestId=e8cf9eea-be4d-4d5c-8a2c-8d3e41xxxxxx,TimeStamp=11/29/2
   014 1:39:37 PM] 4FA0B649,Microsoft.Exchange.Management.Tasks.SetImap4Configuration
    + PSComputerName        : myservername

________________________________________

Is it because of a wrong set wildcard certificate or what ?
Please help.
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 40471590
I think the error is indicating that the FQDN with the :993 isn't accepted.

There is a command to Get-ExchangeCertificate.  Make certain you can see the wildcard cert you want to use, and note the thumbprint.

Then use Enable-ExchangeCertificate, to make the certificate available to IMAP.  (I believe that'll be Enable-ExchangeCertificate -Thumbprint <thumprint captured above> -Services IMAP

Finally, use the Set-IMAPSettings you tried before, without the port.
0
 

Author Comment

by:Dimitris_v
ID: 40472587
Thanks for the reply Razmus.

So, below what happened.

_______________________________________________

[PS] C:\Windows\system32>get-exchangecertificate

Thumbprint                                Services   Subject
----------                                --------   -------
80A0580F422A9C9524866A86D9AE61269xxxxxx  ...WS..    CN=*.domain.net, OU=EssentialSSL Wildcard, OU=Domain Control V...


[PS] C:\Windows\system32>enable-exchangecertificate

cmdlet Enable-ExchangeCertificate at command pipeline position 1
Supply values for the following parameters:
Services: IMAP
Thumbprint: 80A0580F422A9C9524866A86D9AE61269xxxxxx
WARNING: This certificate with thumbprint 80A0580F422A9C9524866A86D9AE61269xxxxxx and subject '*.domain.net' cannot
used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
[PS] C:\Windows\system32>set-imapsettings -x509certificatename mail.domain.net
WARNING: The command completed successfully but no settings of 'myserver' have been modified.
[PS] C:\Windows\system32>
_____________________________________________________________

Any suggestions?
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 40472608
It looks like I had the order incorrect.  Try the enable-exchangecertificate, for IMAP with that thumbprint, and see if it works now that you have the 'set-imapsettings' set.
0
 

Author Comment

by:Dimitris_v
ID: 40472662
Well, it looks I get the same message.

_________
WARNING: This certificate with thumbprint 80A0580F422A9C9524866A86D9AE61269xxxxxx and subject '*.domain.net' cannot
used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
_____________
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 40472698
Confirm that Exchange isn't listening on tcp/993, despite the warning.

I can see from folks in the Experts-Exchange Archive, that it can take a day for the Set-IMAPSettings to take effect (for no reason I can think of), and/or that the warnings are normal.  (It looks like restarting the relevant service for IMAP will necessary regardless.
0
 

Author Comment

by:Dimitris_v
ID: 40478763
Hi Razmus,
I am back. :-)
I have tried several thinks since last 3 days and also wait if the certificate will work but I ve got still the same problem.
Also, when I run "Set-ImapSettings -X509CertificateName mail.domain.com" I get a warning: The command completed successfully but no settings of "myserver" have been modified.

So strange think.
What should I do? Maybe I could install and activate the default certificates somehow and try to reinstall the wildcard as it looks still invalid to the ecp? and how easy that would be?
ooh..I am lost..
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 29

Expert Comment

by:Rich Weissler
ID: 40478936
I believe the 'no settings <> have been modified' is indicating that the name value has already been set and isn't being changed by this.  You can test by changing the name, then changing it back.  (And I think Get-ImapSettings, could also confirm.)

Just to confirm though, were you able to confirm that the system isn't responding on IMAP on tcp/993?
0
 

Author Comment

by:Dimitris_v
ID: 40480327
Hmm, it seems that there is no name to my certificate..
How could i fix that?
no_name
0
 

Author Comment

by:Dimitris_v
ID: 40480331
ooo you meant the domain name??  mail.domain.com  right?
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 40480767
You could add a friendly name to a certificate by opening 'mmc.exe', and adding in the certificate snap-in, for the computer, finding the certificate (probably under Personal), pulling up the properties.  The Friendly Name should be editable there.

But, yes, I meant the mail.domain.com.
0
 

Author Comment

by:Dimitris_v
ID: 40482973
thanks for the tip.

I changed the domain for the set-imap settings. you were right, the message was gone. so that means the it was already set.

So,
I made the test with the Microsoft Remote Connectivity Analyzer (https://testconnectivity.microsoft.com) and obviously it says that the tcp/port 993 is open but the certificate is not possible to be verified cause the ssl connection was not successful. This could be happened in case of network failure or wrong certificate installation.

Should I delete and reinstall the wildcard? How easy would that be?
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 40483191
If you have the original key material (I.e. the private key and the public key) it isn't hard.  Normally what happens though when I work with certificates on Windows systems, is that you generate a certificate request and the computer stores away the private key.  You take the certificate request file, and submit it to the CA, and you take the signed public certificate back from the CA, and pull that into the certificate store... where it is combined with the private key.  Normally, you won't have the private key anywhere except in the certificate store.  You'll want to confirm that you have the private key and public key somewhere accessible before you delete the certificate.

And just to double check -- some administrators have been disabling SSL 3 on their systems because of the Poodle vulnerability.  Did you also check using TLS connection security?
0
 

Accepted Solution

by:
Dimitris_v earned 0 total points
ID: 41216488
Solved with an installation of a SAN Certificate. Neither wildcards nor other certificates types work at exchange 2013 at my case.
0
 

Author Closing Comment

by:Dimitris_v
ID: 41244606
It has nothing to do with the smtp connectivity. Anyway the problem for non valid certificate was the wrong type of certificate. I used a SAN certificate and it worked.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now