none
Exchange 2007: Wildcard Certificate. TLS warning.

    Question

  • I have three certificates installed on our Exchange 2007 server. One is the default self signed cert. Another is another self signed cert. And the third is one purchased from a public CA. I've been trying to plan moving all services off of the self signed cert and onto the third party one. We are using a wildcard certificate. *.external_domainname.com

    The other day I changed the FQDN of the POP3 connector through thru the GUI to webmail.external_domainname.com from servername. It now appears the POP service isn't listed on any of the installed certificates. I tried testing port 995 with OpenSSL and it's retrieving the third party cert correctly. 

    I get this message when trying to run Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services POP:

    WARNING: This certificate will not be used for external TLS connections with an
     FQDN of '*.external_domainname.com' because the self-signed certificate with thumbprint
    '<thumbprint>' takes precedence. The following
    connectors match that FQDN: POP3.

    However the thumbprint listed is not the self signed cerftificate, the thumbprint is the third party one.

    Here is the Get-ExchangeCertificate output:

    [PS] C:\Windows\system32>Get-ExchangeCertificate | fl


    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {servername, servername.internal_domainname.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=servername
    NotAfter           : 6/3/2012 11:15:00 PM
    NotBefore          : 6/3/2011 11:15:00 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : Serial Number
    Services           : IMAP, UM, SMTP
    Status             : Valid
    Subject            : CN=servername
    Thumbprint         : <thumbprint>

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {WMSvc-servername}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=WMSvc-servername
    NotAfter           : 5/31/2021 11:03:50 PM
    NotBefore          : 6/3/2011 11:03:50 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : Serial Number
    Services           : None
    Status             : Valid
    Subject            : CN=WMSvc-servername
    Thumbprint         : <thumbprint>

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {*.external_domainname.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=Network Solutions Certificate Authority, O=Network Solu
                         tions L.L.C., C=US
    NotAfter           : 11/10/2012 6:59:59 PM
    NotBefore          : 11/9/2008 7:00:00 PM
    PublicKeySize      : 1024
    RootCAType         : ThirdParty
    SerialNumber       : Serial Number
    Services           : IIS
    Status             : Valid
    Subject            : CN=*.external_domainname.com, OU=Secure Link SSL Wildcard, OU=IT, O="
                         Company Name", STREET=Address STREET=Address, L=City, S=State, PostalCode=Zip, C=US
    Thumbprint         : <thumbprint>

    I am running Exchange 2007 SP3 with Rollup Update 5

    lundi 13 février 2012 21:17

Toutes les réponses

  • What URL did you configure for POP to use?

    Try to Enable the services for the 3rd part certificate using

    Enable-Exchangecertificate -thumbprint xxxxxx -services "IIS, SMTP, POP, UM"


    Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82

    mardi 14 février 2012 13:45
  • Hey Jonas. I used mail.external_domainname.com (our wildcard cert is *.external_domainname.com)

    I've tried running Enable-ExchangeCertificate with -services UM and nothing happens. POP gives the above Warning message, it already has IIS on it. I haven't done it with SMTP. Do you have to run the -services switch with all services to work? 

    mardi 14 février 2012 14:15
  •  

    Hello,

    From the certificate log you provided, no certificate is enabled on the POP3 service. Please double check with it.

    Thanks,

    Simon

    mercredi 15 février 2012 08:30
    Modérateur
  • That's the problem. I am running the command to enable it and getting this:

    I get this message when trying to run Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services POP:

    WARNING: This certificate will not be used for external TLS connections with an
     FQDN of '*.external_domainname.com' because the self-signed certificate with thumbprint
    '<thumbprint>' takes precedence. The following
    connectors match that FQDN: POP3.

    mercredi 15 février 2012 13:16
  •  

    Hello,

    Thanks for the confirmation. Have you referred to this article:

    Certificates that contain wildcard characters may not work correctly on an Exchange 2007 Service Pack 1-based server

    http://support.microsoft.com/kb/948896

    Thanks,

    Simon

    jeudi 16 février 2012 02:19
    Modérateur
  • We are on Service Pack 3
    jeudi 16 février 2012 03:07
  • What happens when you try to run:

    Enable-Exchangecertificate -thumbprint xxxxxx -services "IIS, SMTP, POP, UM"

    I read through the link posted by Simon, but I think you have the check with MS Support to have a confirm around if it's supported to use wildcard certificate for POP services, or maybe Simon can give you an official answer on it


    Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82

    jeudi 16 février 2012 14:01
  •  

    Hello,

    Please try to run:

    Set-POPSettings –Server xxx -x509certificatename webmail.external_domainname.com

    Then restart the IIS service and check if the issue persists.

    Thanks,

    Simon


    vendredi 17 février 2012 01:52
    Modérateur
  • None of the suggestions here worked. I don't think you can use a wildcard certificate successfully with POP and IMAP. We are purchasing a unified messaging certificate and we'll see how that goes. 
    mercredi 22 février 2012 13:15
  • Configuring Exchange 2010 Services for using Wildcard Certificates:

    http://www.windowsinfo.eu/?p=236


    Normally you would use this command also for enabling the certificate for other services like POP3 and IMAP4, this is not possible with wildcard  certificates. In that case you have to use set-imapsettings -X509CertificateName and set-popsettings -X509CertificateName
    respectively to enable a wildcard certificate on Exchange Server

    • Modifié hewyii jeudi 8 mars 2012 00:46
    jeudi 8 mars 2012 00:45