Masuk
 
AwalPerpustakaanWikiPelajariUnduhDukunganKomunitasForum
Resources for IT Professionals >
Exchange 2007: Wildcard Certificate. TLS warning.

คำถาม Exchange 2007: Wildcard Certificate. TLS warning.

  • 13 Februari 2012 21:17
     
     
    Masuk untuk Memilih
    0

    I have three certificates installed on our Exchange 2007 server. One is the default self signed cert. Another is another self signed cert. And the third is one purchased from a public CA. I've been trying to plan moving all services off of the self signed cert and onto the third party one. We are using a wildcard certificate. *.external_domainname.com

    The other day I changed the FQDN of the POP3 connector through thru the GUI to webmail.external_domainname.com from servername. It now appears the POP service isn't listed on any of the installed certificates. I tried testing port 995 with OpenSSL and it's retrieving the third party cert correctly. 

    I get this message when trying to run Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services POP:

    WARNING: This certificate will not be used for external TLS connections with an
     FQDN of '*.external_domainname.com' because the self-signed certificate with thumbprint
    '<thumbprint>' takes precedence. The following
    connectors match that FQDN: POP3.

    However the thumbprint listed is not the self signed cerftificate, the thumbprint is the third party one.

    Here is the Get-ExchangeCertificate output:

    [PS] C:\Windows\system32>Get-ExchangeCertificate | fl


    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {servername, servername.internal_domainname.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=servername
    NotAfter           : 6/3/2012 11:15:00 PM
    NotBefore          : 6/3/2011 11:15:00 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : Serial Number
    Services           : IMAP, UM, SMTP
    Status             : Valid
    Subject            : CN=servername
    Thumbprint         : <thumbprint>

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {WMSvc-servername}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=WMSvc-servername
    NotAfter           : 5/31/2021 11:03:50 PM
    NotBefore          : 6/3/2011 11:03:50 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : Serial Number
    Services           : None
    Status             : Valid
    Subject            : CN=WMSvc-servername
    Thumbprint         : <thumbprint>

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {*.external_domainname.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=Network Solutions Certificate Authority, O=Network Solu
                         tions L.L.C., C=US
    NotAfter           : 11/10/2012 6:59:59 PM
    NotBefore          : 11/9/2008 7:00:00 PM
    PublicKeySize      : 1024
    RootCAType         : ThirdParty
    SerialNumber       : Serial Number
    Services           : IIS
    Status             : Valid
    Subject            : CN=*.external_domainname.com, OU=Secure Link SSL Wildcard, OU=IT, O="
                         Company Name", STREET=Address STREET=Address, L=City, S=State, PostalCode=Zip, C=US
    Thumbprint         : <thumbprint>

    I am running Exchange 2007 SP3 with Rollup Update 5

     

Semua Balasan

  • 14 Februari 2012 13:45
     
     
    Masuk untuk Memilih
    0

    What URL did you configure for POP to use?

    Try to Enable the services for the 3rd part certificate using

    Enable-Exchangecertificate -thumbprint xxxxxx -services "IIS, SMTP, POP, UM"

    Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82

     
  • 14 Februari 2012 14:15
     
     
    Masuk untuk Memilih
    0

    Hey Jonas. I used mail.external_domainname.com (our wildcard cert is *.external_domainname.com)

    I've tried running Enable-ExchangeCertificate with -services UM and nothing happens. POP gives the above Warning message, it already has IIS on it. I haven't done it with SMTP. Do you have to run the -services switch with all services to work? 

     
  • 15 Februari 2012 8:30
    Moderator
     
     
    Masuk untuk Memilih
    0
     

    Hello,

    From the certificate log you provided, no certificate is enabled on the POP3 service. Please double check with it.

    Thanks,

    Simon

     
  • 15 Februari 2012 13:16
     
     
    Masuk untuk Memilih
    0

    That's the problem. I am running the command to enable it and getting this:

    I get this message when trying to run Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services POP:

    WARNING: This certificate will not be used for external TLS connections with an
     FQDN of '*.external_domainname.com' because the self-signed certificate with thumbprint
    '<thumbprint>' takes precedence. The following
    connectors match that FQDN: POP3.

     
  • 16 Februari 2012 2:19
    Moderator
     
     
    Masuk untuk Memilih
    0
     

    Hello,

    Thanks for the confirmation. Have you referred to this article:

    Certificates that contain wildcard characters may not work correctly on an Exchange 2007 Service Pack 1-based server

    http://support.microsoft.com/kb/948896

    Thanks,

    Simon

     
  • 16 Februari 2012 3:07
     
     
    Masuk untuk Memilih
    0
    We are on Service Pack 3
     
  • 16 Februari 2012 14:01
     
     
    Masuk untuk Memilih
    0

    What happens when you try to run:

    Enable-Exchangecertificate -thumbprint xxxxxx -services "IIS, SMTP, POP, UM"

    I read through the link posted by Simon, but I think you have the check with MS Support to have a confirm around if it's supported to use wildcard certificate for POP services, or maybe Simon can give you an official answer on it

    Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82

     
  • 17 Februari 2012 1:52
    Moderator
     
     
    Masuk untuk Memilih
    0
     

    Hello,

    Please try to run:

    Set-POPSettings –Server xxx -x509certificatename webmail.external_domainname.com

    Then restart the IIS service and check if the issue persists.

    Thanks,

    Simon


     
  • 22 Februari 2012 13:15
     
     
    Masuk untuk Memilih
    0
    None of the suggestions here worked. I don't think you can use a wildcard certificate successfully with POP and IMAP. We are purchasing a unified messaging certificate and we'll see how that goes. 
     
  • 29 Februari 2012 0:31
     
     
    Masuk untuk Memilih
    0

    Seems to work - http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/033939ec-33f9-49cd-918b-fef653ee988e

    Sukh

     
  • 08 Maret 2012 0:45
     
     
    Masuk untuk Memilih
    0

    Configuring Exchange 2010 Services for using Wildcard Certificates:

    http://www.windowsinfo.eu/?p=236


    Normally you would use this command also for enabling the certificate for other services like POP3 and IMAP4, this is not possible with wildcard  certificates. In that case you have to use set-imapsettings -X509CertificateName and set-popsettings -X509CertificateName
    respectively to enable a wildcard certificate on Exchange Server

    • Diedit oleh hewyii 08 Maret 2012 0:46
    •