invalid certificate exchange 2013

Hello Experts,
I am trying to set my wildcard certificate to work with my IMAP services as a secure ssl connection. The chain of my wildcard certificate is correct but the certificate is invalid on the ecp certificates. I have deleted the rest certificates according to the mentions on thread http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28308863.html and I have also tried to repair it by the serial number. It is still there as "invalid" (pic attached). Do you have any ideas on how to fix it? I am struggling on that for many hours...

PS: The certificate works just fine in IIS websites bindings.
Thank you.

invalid certificate exchange 2013
Dimitris_vAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
It would appear that using a wildcard certificate requires a different procedure to bind for IMAP than a regular certificate:
http://technet.microsoft.com/en-us/library/aa997231%28v=exchg.150%29.aspx
Don't use the Enable-ExchangeCertificate cmdlet to enable a wildcard certificate for POP and IMAP services. To enable a wildcard certificate, you must use the Set-ImapSettings or Set-PopSettings cmdlets with the fully qualified domain name (FQDN) of the service.
0
Dimitris_vAuthor Commented:
Hmm..
Thanks for the comment Razmus.
I thought to run the command below but it seems that something goes wrong.
 I get the results below.
____________________________
[PS] C:\Windows\system32>set-imapsettings -x509certificatename mail.xxxxx.net:993
The certificate with the subject 'mail.xxxxx.net:993' can't be used for SSL or TLS connections because the subject
isn't a valid fully qualified domain name (FQDN).
    + CategoryInfo          : NotSpecified: (myserver:ADObjectId) [Set-ImapSettings], DataValidationException
    + FullyQualifiedErrorId : [Server=myserver,RequestId=e8cf9eea-be4d-4d5c-8a2c-8d3e41xxxxxx,TimeStamp=11/29/2
   014 1:39:37 PM] 4FA0B649,Microsoft.Exchange.Management.Tasks.SetImap4Configuration
    + PSComputerName        : myservername

________________________________________

Is it because of a wrong set wildcard certificate or what ?
Please help.
0
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
I think the error is indicating that the FQDN with the :993 isn't accepted.

There is a command to Get-ExchangeCertificate.  Make certain you can see the wildcard cert you want to use, and note the thumbprint.

Then use Enable-ExchangeCertificate, to make the certificate available to IMAP.  (I believe that'll be Enable-ExchangeCertificate -Thumbprint <thumprint captured above> -Services IMAP

Finally, use the Set-IMAPSettings you tried before, without the port.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Dimitris_vAuthor Commented:
Thanks for the reply Razmus.

So, below what happened.

_______________________________________________

[PS] C:\Windows\system32>get-exchangecertificate

Thumbprint                                Services   Subject
----------                                --------   -------
80A0580F422A9C9524866A86D9AE61269xxxxxx  ...WS..    CN=*.domain.net, OU=EssentialSSL Wildcard, OU=Domain Control V...


[PS] C:\Windows\system32>enable-exchangecertificate

cmdlet Enable-ExchangeCertificate at command pipeline position 1
Supply values for the following parameters:
Services: IMAP
Thumbprint: 80A0580F422A9C9524866A86D9AE61269xxxxxx
WARNING: This certificate with thumbprint 80A0580F422A9C9524866A86D9AE61269xxxxxx and subject '*.domain.net' cannot
used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
[PS] C:\Windows\system32>set-imapsettings -x509certificatename mail.domain.net
WARNING: The command completed successfully but no settings of 'myserver' have been modified.
[PS] C:\Windows\system32>
_____________________________________________________________

Any suggestions?
0
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
It looks like I had the order incorrect.  Try the enable-exchangecertificate, for IMAP with that thumbprint, and see if it works now that you have the 'set-imapsettings' set.
0
Dimitris_vAuthor Commented:
Well, it looks I get the same message.

_________
WARNING: This certificate with thumbprint 80A0580F422A9C9524866A86D9AE61269xxxxxx and subject '*.domain.net' cannot
used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
_____________
0
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Confirm that Exchange isn't listening on tcp/993, despite the warning.

I can see from folks in the Experts-Exchange Archive, that it can take a day for the Set-IMAPSettings to take effect (for no reason I can think of), and/or that the warnings are normal.  (It looks like restarting the relevant service for IMAP will necessary regardless.
0
Dimitris_vAuthor Commented:
Hi Razmus,
I am back. :-)
I have tried several thinks since last 3 days and also wait if the certificate will work but I ve got still the same problem.
Also, when I run "Set-ImapSettings -X509CertificateName mail.domain.com" I get a warning: The command completed successfully but no settings of "myserver" have been modified.

So strange think.
What should I do? Maybe I could install and activate the default certificates somehow and try to reinstall the wildcard as it looks still invalid to the ecp? and how easy that would be?
ooh..I am lost..
0
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
I believe the 'no settings <> have been modified' is indicating that the name value has already been set and isn't being changed by this.  You can test by changing the name, then changing it back.  (And I think Get-ImapSettings, could also confirm.)

Just to confirm though, were you able to confirm that the system isn't responding on IMAP on tcp/993?
0
Dimitris_vAuthor Commented:
Hmm, it seems that there is no name to my certificate..
How could i fix that?
no_name
0
Dimitris_vAuthor Commented:
ooo you meant the domain name??  mail.domain.com  right?
0
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
You could add a friendly name to a certificate by opening 'mmc.exe', and adding in the certificate snap-in, for the computer, finding the certificate (probably under Personal), pulling up the properties.  The Friendly Name should be editable there.

But, yes, I meant the mail.domain.com.
0
Dimitris_vAuthor Commented:
thanks for the tip.

I changed the domain for the set-imap settings. you were right, the message was gone. so that means the it was already set.

So,
I made the test with the Microsoft Remote Connectivity Analyzer (https://testconnectivity.microsoft.com) and obviously it says that the tcp/port 993 is open but the certificate is not possible to be verified cause the ssl connection was not successful. This could be happened in case of network failure or wrong certificate installation.

Should I delete and reinstall the wildcard? How easy would that be?
0
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
If you have the original key material (I.e. the private key and the public key) it isn't hard.  Normally what happens though when I work with certificates on Windows systems, is that you generate a certificate request and the computer stores away the private key.  You take the certificate request file, and submit it to the CA, and you take the signed public certificate back from the CA, and pull that into the certificate store... where it is combined with the private key.  Normally, you won't have the private key anywhere except in the certificate store.  You'll want to confirm that you have the private key and public key somewhere accessible before you delete the certificate.

And just to double check -- some administrators have been disabling SSL 3 on their systems because of the Poodle vulnerability.  Did you also check using TLS connection security?
0
Dimitris_vAuthor Commented:
Solved with an installation of a SAN Certificate. Neither wildcards nor other certificates types work at exchange 2013 at my case.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dimitris_vAuthor Commented:
It has nothing to do with the smtp connectivity. Anyway the problem for non valid certificate was the wrong type of certificate. I used a SAN certificate and it worked.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.