none
Exchange 2007: Wildcard Certificate. TLS warning.

    Question

  • I have three certificates installed on our Exchange 2007 server. One is the default self signed cert. Another is another self signed cert. And the third is one purchased from a public CA. I've been trying to plan moving all services off of the self signed cert and onto the third party one. We are using a wildcard certificate. *.external_domainname.com

    The other day I changed the FQDN of the POP3 connector through thru the GUI to webmail.external_domainname.com from servername. It now appears the POP service isn't listed on any of the installed certificates. I tried testing port 995 with OpenSSL and it's retrieving the third party cert correctly. 

    I get this message when trying to run Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services POP:

    WARNING: This certificate will not be used for external TLS connections with an
     FQDN of '*.external_domainname.com' because the self-signed certificate with thumbprint
    '<thumbprint>' takes precedence. The following
    connectors match that FQDN: POP3.

    However the thumbprint listed is not the self signed cerftificate, the thumbprint is the third party one.

    Here is the Get-ExchangeCertificate output:

    [PS] C:\Windows\system32>Get-ExchangeCertificate | fl


    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {servername, servername.internal_domainname.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=servername
    NotAfter           : 6/3/2012 11:15:00 PM
    NotBefore          : 6/3/2011 11:15:00 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : Serial Number
    Services           : IMAP, UM, SMTP
    Status             : Valid
    Subject            : CN=servername
    Thumbprint         : <thumbprint>

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {WMSvc-servername}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=WMSvc-servername
    NotAfter           : 5/31/2021 11:03:50 PM
    NotBefore          : 6/3/2011 11:03:50 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : Serial Number
    Services           : None
    Status             : Valid
    Subject            : CN=WMSvc-servername
    Thumbprint         : <thumbprint>

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {*.external_domainname.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=Network Solutions Certificate Authority, O=Network Solu
                         tions L.L.C., C=US
    NotAfter           : 11/10/2012 6:59:59 PM
    NotBefore          : 11/9/2008 7:00:00 PM
    PublicKeySize      : 1024
    RootCAType         : ThirdParty
    SerialNumber       : Serial Number
    Services           : IIS
    Status             : Valid
    Subject            : CN=*.external_domainname.com, OU=Secure Link SSL Wildcard, OU=IT, O="
                         Company Name", STREET=Address STREET=Address, L=City, S=State, PostalCode=Zip, C=US
    Thumbprint         : <thumbprint>

    I am running Exchange 2007 SP3 with Rollup Update 5

    lundi 13 février 2012 21:17

Toutes les réponses