It is assumed you have your SSL wildcard certificate already installed on an Exchange 2010 server.
We use Windows Server 2008 R2 Datacenter x64 in this example.
Open Exchange Management Shell as Administrator and get a list of SSL certificates that are available:
[PS]> Get-ExchangeCertificate Thumbprint Services Subject ---------- -------- ------- 1F70359DC0BE9CAD58F965A3C110 ...WS. CN=*.example.com, OU=IT Dep, O=Example Comp... 0F7FF199B11E662621D80700D04F ....S. CN=ExampleDC
When you enable the wildcard *.example.com certificate for POP service, you normally get the following error:
[PS]> Enable-ExchangeCertificate -Thumbprint 1F70359DC0BE9CAD58F965A3C110 -Services POP WARNING: This certificate with thumbprint 1F70359DC0BE9CAD58F965A3C110 and subject '*.example.com' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.
The same applies to IMAP:
[PS]> Enable-ExchangeCertificate -Thumbprint 1F70359DC0BE9CAD58F965A3C110 -Services IMAP WARNING: This certificate with thumbprint 1F70359DC0BE9CAD58F965A3C110 and subject '*.example.com' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
Set FQDN for POP service to fix the error:
[PS]> Set-POPSettings -X509CertificateName exchange2010.example.com
Do the same for IMAP service:
[PS]> Set-IMAPSettings -X509CertificateName exchange2010.example.com
Verify POP settings:
[PS]> Get-POPSettings
UnencryptedOrTLSBindings SSLBindings LoginType X509CertificateName
------------------------ ----------- --------- -------------------
{:::110, 0.0.0.0:110} {:::995, 0.0.0.0:995} SecureLogin exchange2010.example...
Verify IMAP settings:
[PS]> Get-IMAPSettings
UnencryptedOrTLSBindings SSLBindings LoginType X509CertificateName
------------------------ ----------- --------- -------------------
{:::143, 0.0.0.0:143} {:::993, 0.0.0.0:993} SecureLogin exchange2010.example...
Restart POP and IMAP services:
[PS]> Restart-service MSExchangePOP3 [PS]> Restart-service MSExchangeIMAP4
Very helpful! Thanks for putting this up!
one small type-o
Restart-service MSExchangePOP
should be
Restart-service MSExchangePOP3
Great post tho! Def helped!
Thanks, fixed the typo.
Hello, i entered those commands but in the exchange management console next to the certificate i dont see IMAP and POP for my wildcard cert. just iis and smtp :(
once i enter the set-commands exchange answers with this message:
WARNUNG: Der Befehl wurde erfolgreich abgeschlossen, es wurden jedoch keine Einstellungen von ‘MX03-HAM-DE\1’ geändert.
It is saying something like: Warning: Command was executed successful, but no settings where changed for mx03-ham-de.
:(
I’m not sure I understand your problem. You won’t see IMAP and POP under Exchange management console. At least I don’t see them on Exchange 2010.
Have you verified IMAP and POP settings via powershell? Do they work?
Hi, thx for your reply.
On the mgmt shell it looks like this (for autodiscover we use wildcard cert, too):
[PS] C:\Windows\system32>Set-POPSettings -X509CertificateName xxx.xxx.com WARNUNG: Der Befehl wurde erfolgreich abgeschlossen, es wurden jedoch keine Einstellungen von 'MX03-HAM-DE\1' geändert. [PS] C:\Windows\system32>Set-IMAPSettings -X509CertificateName xxx.xxx.com WARNUNG: Der Befehl wurde erfolgreich abgeschlossen, es wurden jedoch keine Einstellungen von 'MX03-HAM-DE\1' geändert. [PS] C:\Windows\system32> Get-POPSettings UnencryptedOrTLSBindings SSLBindings LoginType X509CertificateName ------------------------ ----------- --------- ------------------- {:::110, 0.0.0.0:110} {:::995, 0.0.0.0:995} SecureLogin xxx.xxx... [PS] C:\Windows\system32> [PS] C:\Windows\system32>Get-IMAPSettings UnencryptedOrTLSBindings SSLBindings LoginType X509CertificateName ------------------------ ----------- --------- ------------------- {:::143, 0.0.0.0:143} {:::993, 0.0.0.0:993} PlainTextLogin xxx.xxx... [PS] C:\Windows\system32>Restart-service MSExchangePOP3 WARNUNG: Warten auf Start des Diensts "Microsoft Exchange POP3 (MSExchangePOP3)"... [PS] C:\Windows\system32>Restart-service MSExchangeIMAP4 WARNUNG: Warten auf Start des Diensts "Microsoft Exchange IMAP4 (MSExchangeIMAP4)"... WARNUNG: Warten auf Start des Diensts "Microsoft Exchange IMAP4 (MSExchangeIMAP4)"... [PS] C:\Windows\system32> Get-ExchangeCertificate Thumbprint Services Subject ---------- -------- ------- E68ED783F607C550958C5751B460E3EDDBFE3B84 ...WS. CN=*.xxx.com, OU=PositiveSSL Wildcard, OU=Domain Con... 37586FFB50C8D3665BA0554456A560508C2B9000 ....S. CN=mx03-ham-de 7464DC695880B8A51DD34710784351E6F7F0F460 ...... CN=autodiscover.xxx.com, OU=Domain Validated, OU=Tha... [PS] C:\Windows\system32>It indicates that the options you’re trying to set via the Set-POPSettings and Set-IMAPSettings commands are already set.
And when you run Get-POPSettings and Get-IMAPSettings commands, you can see that the wildcard certificate has been configured.
Ah ok, so I will not see that it is working in the Exchange Management Console or on the Shell with the get-exchangecertificate cmd?
Thx for your help :)
You see a wildcard certificate is configured when you run Get-POPSettings and Get-IMAPSettings commands.
Hey i am having a bit of an issue my previous enabled cert and url where both mail.xxx.com.au am trying to get the wildcard to be the enabled cert but having issues see below.
But the FQDN has been set correctly as per below
UnencryptedOrTLSBindings SSLBindings LoginType X509CertificateName ------------------------ ----------- --------- ------------------- {:::143, 0.0.0.0:143} {:::993, 0.0.0.0:993} SecureLogin mapi.certegy.com.auTried Set-ImapSettings -X509CertificateName *.xxx.com.au … No luck
Tried set-imapsettings -x509Certificatename mail.xxx.com.au worked but cannot set the cert.
I am wondering if there is anything i am doing wrong?
I see that your IMAP settings are OK. What does not work in particular?
Issue is that when i attempt to assign the Certificate to the services
1st this one.
set-imapsettings -x509Certificatename mail.xxx.com.au
2nd is this
Enable-ExchangeCertificate -Thumbprint C570F6FC8ED01D153AD28244B1A086B78EB643FE -Services IMAP
have also tried via the gui get the same error for each.
cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
From what i have gathered doing the above it should set the cert and not error. Am i incorrect and it will error either way but just work?
Once you set the FQDN you no longer need to enable the certificate. It will work despite the error being displayed (welcome to MS).
Have you actually tried retrieving emails via IMAPS? Does it work?
Nah haven’t tried as soon as I got the error I backed out….Will try again tonight. Even though I get the error will it be displayed as enabled under the EMC?
It should be displayed as enabled under the EMC, but only for IIS and SMTP services.
Cool have done for the passive node will try on the active tonight anyway to see what cert is running for what services after I replace since I can’t use the emc?
Cool tried and nope no way to see services to a certificate even via powershell.
[PS] C:\Windows\system32>Get-ExchangeCertificate |fl
AccessRules :
CertificateDomains : {*.xxxx.com.au, xxxx.com.au}
HasPrivateKey : True
IsSelfSigned : False
Issuer : [email protected], CN=”Trustwave Organization Validation SHA256 CA, Level 1″, O=”Trustwave Holdin
gs, Inc.”, L=Chicago, S=Illinois, C=US
NotAfter : 9/01/2018 9:01:03 AM
NotBefore : 8/01/2015 3:01:03 AM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 065ED959941D865DC8159E25CC5FE8A8DA2A34
Services : IIS, SMTP
Status : Valid
Subject :
Thumbprint : C570F6FC8ED01D153AD28244B1A086B78EB643FE
AccessRules :
CertificateDomains : {AD-I-EXCHANGE01, AD-I-EXCHANGE01.xxx.xxx.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=AD-I-EXCHANGE01
NotAfter : 10/09/2018 4:41:32 PM
NotBefore : 10/09/2013 4:41:32 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 5F69F31970CB849247590421CF3481E2
Services : SMTP
Status : Valid
Subject : CN=AD-I-EXCHANGE01
Thumbprint : FC8ABF4DDB1B61B1CF338859807E1A3B978480ED
I normally use OpenSSL to check for SSL certificates, ciphers that are in use etc. For IMAPS it would be something like:
Change the port and you can check SSL certificates for SMTPS, POP3S, IMAPS, HTTPS etc. You get the idea.
[PS]> Set-IMAPSettings -X509CertificateName exchange2010.example.com
From the command, what is “exchange2010”? from the command above
Is it the exchange server name or exchange product or ???, as I am using Exchange 2013 SP1,
It’s simply a subdomain I use for Exchange 2010. It can be anything you like basically.
Thanks
Just to clarify further, will I need to create a DNS record for the name used.
Or use “Mail” or “OWA” which my current external URL OWA.domain_name or mail.domain_name?
At the moment the POP and IMAP certificate is set to the default self-signed certificate created during Exchange installation which CN=Exchange servername
You need a valid DNS record if you are planning to use it, otherwise it won’t resolve.
This works great. Thank you!
The issue now is with the Outgoing email over IMAP. is there a way to assign the wildcard cert to the outgoing (Port 587). Please advise.
Thank you
As far as I know, port 587 is used for SMTP e-mail message submission and not for IMAP.
I replaced my SAN certificate with wildcard, and did as you said.
can i now delete old certificate from EMC?
Create a backup, ensure the new certificate works, and then delete the old certificate.
Thanks for this! – If the previous cert was name.domain.com and the new cert is *.domain.com and you do the Get-POPSettings and Get-IMAPSettings and they still say name.domain.com is that good enough?
Does it work? If it does, then it’s probably good enough.