Configure Wildcard SSL Certificate for POP/IMAP on Exchange 2010 (PowerShell)

It is assumed you have your SSL wildcard certificate already installed on an Exchange 2010 server.

We use Windows Server 2008 R2 Datacenter x64 in this example.

Open Exchange Management Shell as Administrator and get a list of SSL certificates that are available:

[PS]> Get-ExchangeCertificate

Thumbprint                    Services  Subject
----------                              --------  -------
1F70359DC0BE9CAD58F965A3C110  ...WS.    CN=*.example.com, OU=IT Dep, O=Example Comp...
0F7FF199B11E662621D80700D04F  ....S.    CN=ExampleDC

When you enable the wildcard *.example.com certificate for POP service, you normally get the following error:

[PS]> Enable-ExchangeCertificate -Thumbprint 1F70359DC0BE9CAD58F965A3C110 -Services POP
WARNING: This certificate with thumbprint 1F70359DC0BE9CAD58F965A3C110 and subject '*.example.com' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.

The same applies to IMAP:

[PS]> Enable-ExchangeCertificate -Thumbprint 1F70359DC0BE9CAD58F965A3C110 -Services IMAP
WARNING: This certificate with thumbprint 1F70359DC0BE9CAD58F965A3C110 and subject '*.example.com' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

Set FQDN for POP service to fix the error:

[PS]> Set-POPSettings -X509CertificateName exchange2010.example.com

Do the same for IMAP service:

[PS]> Set-IMAPSettings -X509CertificateName exchange2010.example.com

Verify POP settings:

[PS]> Get-POPSettings

UnencryptedOrTLSBindings  SSLBindings            LoginType    X509CertificateName
------------------------  -----------            ---------    -------------------
{:::110, 0.0.0.0:110}     {:::995, 0.0.0.0:995}  SecureLogin  exchange2010.example...

Verify IMAP settings:

[PS]> Get-IMAPSettings

UnencryptedOrTLSBindings  SSLBindings            LoginType    X509CertificateName
------------------------  -----------            ---------    -------------------
{:::143, 0.0.0.0:143}     {:::993, 0.0.0.0:993}  SecureLogin  exchange2010.example...

Restart POP and IMAP services:

[PS]> Restart-service MSExchangePOP3
[PS]> Restart-service MSExchangeIMAP4

47 thoughts on “Configure Wildcard SSL Certificate for POP/IMAP on Exchange 2010 (PowerShell)

  1. one small type-o
    Restart-service MSExchangePOP
    should be
    Restart-service MSExchangePOP3
    Great post tho! Def helped!

  2. Hello, i entered those commands but in the exchange management console next to the certificate i dont see IMAP and POP for my wildcard cert. just iis and smtp :(
    once i enter the set-commands exchange answers with this message:
    WARNUNG: Der Befehl wurde erfolgreich abgeschlossen, es wurden jedoch keine Einstellungen von ‘MX03-HAM-DE\1’ geändert.

    It is saying something like: Warning: Command was executed successful, but no settings where changed for mx03-ham-de.

    :(

    • I’m not sure I understand your problem. You won’t see IMAP and POP under Exchange management console. At least I don’t see them on Exchange 2010.

      Have you verified IMAP and POP settings via powershell? Do they work?

  3. Hi, thx for your reply.
    On the mgmt shell it looks like this (for autodiscover we use wildcard cert, too):

    [PS] C:\Windows\system32>Set-POPSettings -X509CertificateName xxx.xxx.com
    WARNUNG: Der Befehl wurde erfolgreich abgeschlossen, es wurden jedoch keine Einstellungen von 'MX03-HAM-DE\1' geändert.
    [PS] C:\Windows\system32>Set-IMAPSettings -X509CertificateName xxx.xxx.com
    WARNUNG: Der Befehl wurde erfolgreich abgeschlossen, es wurden jedoch keine Einstellungen von 'MX03-HAM-DE\1' geändert.
    [PS] C:\Windows\system32> Get-POPSettings
    
    UnencryptedOrTLSBindings  SSLBindings                       LoginType                         X509CertificateName
    ------------------------  -----------                       ---------                         -------------------
    {:::110, 0.0.0.0:110}     {:::995, 0.0.0.0:995}             SecureLogin                       xxx.xxx...
    
    
    [PS] C:\Windows\system32>
    [PS] C:\Windows\system32>Get-IMAPSettings
    
    UnencryptedOrTLSBindings  SSLBindings                       LoginType                         X509CertificateName
    ------------------------  -----------                       ---------                         -------------------
    {:::143, 0.0.0.0:143}     {:::993, 0.0.0.0:993}             PlainTextLogin                    xxx.xxx...
    
    
    [PS] C:\Windows\system32>Restart-service MSExchangePOP3
    WARNUNG: Warten auf Start des Diensts "Microsoft Exchange POP3 (MSExchangePOP3)"...
    [PS] C:\Windows\system32>Restart-service MSExchangeIMAP4
    WARNUNG: Warten auf Start des Diensts "Microsoft Exchange IMAP4 (MSExchangeIMAP4)"...
    WARNUNG: Warten auf Start des Diensts "Microsoft Exchange IMAP4 (MSExchangeIMAP4)"...
    
    [PS] C:\Windows\system32> Get-ExchangeCertificate
    
    Thumbprint                                Services   Subject
    ----------                                --------   -------
    E68ED783F607C550958C5751B460E3EDDBFE3B84  ...WS.     CN=*.xxx.com, OU=PositiveSSL Wildcard, OU=Domain Con...
    37586FFB50C8D3665BA0554456A560508C2B9000  ....S.     CN=mx03-ham-de
    7464DC695880B8A51DD34710784351E6F7F0F460  ......     CN=autodiscover.xxx.com, OU=Domain Validated, OU=Tha...
    
    
    [PS] C:\Windows\system32>
    • It indicates that the options you’re trying to set via the Set-POPSettings and Set-IMAPSettings commands are already set.

      And when you run Get-POPSettings and Get-IMAPSettings commands, you can see that the wildcard certificate has been configured.

    • Ah ok, so I will not see that it is working in the Exchange Management Console or on the Shell with the get-exchangecertificate cmd?

      Thx for your help :)

  4. Hey i am having a bit of an issue my previous enabled cert and url where both mail.xxx.com.au am trying to get the wildcard to be the enabled cert but having issues see below.

    [PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint C570F6FC8ED01D153AD28244B1A086B78EB643FE -Services IMAP
    WARNING: This certificate with thumbprint C570F6FC8ED01D153AD28244B1A086B78EB643FE and subject '*.xxx.com.au'
    cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
    Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

    But the FQDN has been set correctly as per below

    UnencryptedOrTLSBindings  SSLBindings            LoginType     X509CertificateName
    ------------------------  -----------            ---------     -------------------
    {:::143, 0.0.0.0:143}     {:::993, 0.0.0.0:993}  SecureLogin   mapi.certegy.com.au

    Tried Set-ImapSettings -X509CertificateName *.xxx.com.au … No luck

    Tried set-imapsettings -x509Certificatename mail.xxx.com.au worked but cannot set the cert.

    I am wondering if there is anything i am doing wrong?

  5. Issue is that when i attempt to assign the Certificate to the services

    1st this one.
    set-imapsettings -x509Certificatename mail.xxx.com.au

    2nd is this

    Enable-ExchangeCertificate -Thumbprint C570F6FC8ED01D153AD28244B1A086B78EB643FE -Services IMAP

    have also tried via the gui get the same error for each.

    cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

    From what i have gathered doing the above it should set the cert and not error. Am i incorrect and it will error either way but just work?

    • Once you set the FQDN you no longer need to enable the certificate. It will work despite the error being displayed (welcome to MS).

      Have you actually tried retrieving emails via IMAPS? Does it work?

  6. Nah haven’t tried as soon as I got the error I backed out….Will try again tonight. Even though I get the error will it be displayed as enabled under the EMC?

  7. Cool have done for the passive node will try on the active tonight anyway to see what cert is running for what services after I replace since I can’t use the emc?

  8. Cool tried and nope no way to see services to a certificate even via powershell.

    [PS] C:\Windows\system32>Get-ExchangeCertificate |fl

    AccessRules :
    CertificateDomains : {*.xxxx.com.au, xxxx.com.au}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : [email protected], CN=”Trustwave Organization Validation SHA256 CA, Level 1″, O=”Trustwave Holdin
    gs, Inc.”, L=Chicago, S=Illinois, C=US
    NotAfter : 9/01/2018 9:01:03 AM
    NotBefore : 8/01/2015 3:01:03 AM
    PublicKeySize : 2048
    RootCAType : ThirdParty
    SerialNumber : 065ED959941D865DC8159E25CC5FE8A8DA2A34
    Services : IIS, SMTP
    Status : Valid
    Subject :
    Thumbprint : C570F6FC8ED01D153AD28244B1A086B78EB643FE

    AccessRules :
    CertificateDomains : {AD-I-EXCHANGE01, AD-I-EXCHANGE01.xxx.xxx.com}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=AD-I-EXCHANGE01
    NotAfter : 10/09/2018 4:41:32 PM
    NotBefore : 10/09/2013 4:41:32 PM
    PublicKeySize : 2048
    RootCAType : None
    SerialNumber : 5F69F31970CB849247590421CF3481E2
    Services : SMTP
    Status : Valid
    Subject : CN=AD-I-EXCHANGE01
    Thumbprint : FC8ABF4DDB1B61B1CF338859807E1A3B978480ED

    • I normally use OpenSSL to check for SSL certificates, ciphers that are in use etc. For IMAPS it would be something like:

      openssl s_client -connect example.com:993

      Change the port and you can check SSL certificates for SMTPS, POP3S, IMAPS, HTTPS etc. You get the idea.

  9. [PS]> Set-IMAPSettings -X509CertificateName exchange2010.example.com

    From the command, what is “exchange2010”? from the command above

    Is it the exchange server name or exchange product or ???, as I am using Exchange 2013 SP1,

    • Thanks
      Just to clarify further, will I need to create a DNS record for the name used.

      Or use “Mail” or “OWA” which my current external URL OWA.domain_name or mail.domain_name?

      At the moment the POP and IMAP certificate is set to the default self-signed certificate created during Exchange installation which CN=Exchange servername

  10. This works great. Thank you!
    The issue now is with the Outgoing email over IMAP. is there a way to assign the wildcard cert to the outgoing (Port 587). Please advise.

    Thank you

  11. I replaced my SAN certificate with wildcard, and did as you said.
    can i now delete old certificate from EMC?

  12. Thanks for this! – If the previous cert was name.domain.com and the new cert is *.domain.com and you do the Get-POPSettings and Get-IMAPSettings and they still say name.domain.com is that good enough?

  13. It would be handy if you mentioned at the end of the article that you no longer need to run Enable-ExchangeCertificate . I assumed after adding the FQDN that I would and spent a few minutes trying to figure out why it still didn’t work. Luckily you had answered this already in the comments.

    • Thanks for your feedback. If you follow the article, you will see that it explains what to do in order to fix the problem you get if you run Enable-ExchangeCertificate.

  14. Hi Tomas,

    currently, i am using wildcard ss certificate ( purchased from godaddy) on our exchange server two client access servers(nlb configured) and two mailbox servers(DAG configured) and ssl is assigned to iis and smtp services shown ecp console. working fine for outlook and webmail users.
    Now i want to enable imap on our exchange server because we want to use imap mailbox for our Jira service desk application for receiving emails. what are steps to follow to enable imap on our exchange server and assign this wildcard ssl certificate to imap without affecting our current email setup. i will not use imap for our users, i need this imap only for one mailbox to be configured in our jira service desk as there is no exchange protocol option for receiving emails. only available options are pop anad imap.

    please advise how to enable imap on our exchange server and assingn existing wildcard ssl cert to this imap without disturbing our current setup.

    thanks in advance.

  15. I see that for a lot of people it has not been working yet (for IMAP). I had the same issue and the above did not solve it.
    Apparently there’s a bug that came with an update of Exchange 2013.
    Type: Get-ServerComponentState
    Enter your server name (FQDN) as identity
    Then you’ll see that the ImapProxy state shows as Inactive.

    This can be fixed in registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\ServerComponentStates\ImapProxy Functional from 1:0:635797425487970123 to 1:1:635797425487970123

    Then restart your IMAP service:
    Restart-service MSExchangeIMAP4

    Hope this will help.

  16. Thanks Cyril, you’re a life saver.

    I noticed two other services which were hanging, kind of hoping that’s what’s been causing issues with migrating users to O365 (ProvisioningRPS, ForwardsyncDaemon )

  17. Unfortunately this didn’t work for me. Old cert was a multiname cert. Upgraded to a wildcard cert.

    X509CertificateName for both have already been set. Still get the same error.

    WARNING: This certificate with thumbprint ***** and subject ‘*.domain.com’ cannot used for POP SSL/TLS connections
    because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.

    • Or am I understanding this wrong? Is it that you DO NOT have to bind the service? Simply setting the FQDN is enough?

    • Confirmed. You can NEVER bind IMAP or POP3 to the wildcard cert. Simply setting the FQDN via powershell is enough.

  18. Thank you for this quick reference. I have this bookmarked as its helped me resolve some unrelated issues with exchange. However, according to the Microsoft documentation for Set-POPSettings and Set-IMAPSettings, you dont need to assign the wildcard to the IMAP or POP services. You only need to assign the wildcard to the SMTP and IIS service. (IIS only if you need to support OWA.)

    Excerpt from Microsoft docs:
    “If you use a wildcard certificate, you don’t need to assign the certificate to the Exchange POP service.”
    “If you use a wildcard certificate, you don’t need to assign the certificate to the Exchange IMAP service.”

    References:
    1. https://docs.microsoft.com/en-us/powershell/module/exchange/client-access/set-popsettings?view=exchange-ps#parameters
    2. https://docs.microsoft.com/en-us/powershell/module/exchange/client-access/set-imapsettings?view=exchange-ps#parameters

  19. Hello,

    for exchange 2013 :

    Get-ServerComponentState -Identity server

    if imapproxy is down :

    Set-ServerComponentState -Identity -Component IMAPProxy -State Active -Requester HealthAPI

    Best regards,

    PP

  20. Hello, our wildcard cert is already binded with IMAPS after following the instructions above more than a year ago and now is expiring soon. I presume that I only need to run “Enable-ExchangeCertificate -Thumbprint xxxx -Services IMAP” to import a new wildcard certificate right since the renewed cert has a new thumbprint, am I correct?
    It’s just the same subject name basically

Leave a Reply

Your email address will not be published. Required fields are marked *