Configure Wildcard SSL Certificate for POP/IMAP on Exchange 2010 (PowerShell)

It is assumed you have your SSL wildcard certificate already installed on an Exchange 2010 server.

We use Windows Server 2008 R2 Datacenter x64 in this example.

Open Exchange Management Shell as Administrator and get a list of SSL certificates that are available:

[PS]> Get-ExchangeCertificate

Thumbprint                    Services  Subject
----------                              --------  -------
1F70359DC0BE9CAD58F965A3C110  ...WS.    CN=*.example.com, OU=IT Dep, O=Example Comp...
0F7FF199B11E662621D80700D04F  ....S.    CN=ExampleDC

When you enable the wildcard *.example.com certificate for POP service, you normally get the following error:

[PS]> Enable-ExchangeCertificate -Thumbprint 1F70359DC0BE9CAD58F965A3C110 -Services POP
WARNING: This certificate with thumbprint 1F70359DC0BE9CAD58F965A3C110 and subject '*.example.com' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.

The same applies to IMAP:

[PS]> Enable-ExchangeCertificate -Thumbprint 1F70359DC0BE9CAD58F965A3C110 -Services IMAP
WARNING: This certificate with thumbprint 1F70359DC0BE9CAD58F965A3C110 and subject '*.example.com' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

Set FQDN for POP service to fix the error:

[PS]> Set-POPSettings -X509CertificateName exchange2010.example.com

Do the same for IMAP service:

[PS]> Set-IMAPSettings -X509CertificateName exchange2010.example.com

Verify POP settings:

[PS]> Get-POPSettings

UnencryptedOrTLSBindings  SSLBindings            LoginType    X509CertificateName
------------------------  -----------            ---------    -------------------
{:::110, 0.0.0.0:110}     {:::995, 0.0.0.0:995}  SecureLogin  exchange2010.example...

Verify IMAP settings:

[PS]> Get-IMAPSettings

UnencryptedOrTLSBindings  SSLBindings            LoginType    X509CertificateName
------------------------  -----------            ---------    -------------------
{:::143, 0.0.0.0:143}     {:::993, 0.0.0.0:993}  SecureLogin  exchange2010.example...

Restart POP and IMAP services:

[PS]> Restart-service MSExchangePOP3
[PS]> Restart-service MSExchangeIMAP4

28 thoughts on “Configure Wildcard SSL Certificate for POP/IMAP on Exchange 2010 (PowerShell)

  1. one small type-o
    Restart-service MSExchangePOP
    should be
    Restart-service MSExchangePOP3
    Great post tho! Def helped!

  2. Hello, i entered those commands but in the exchange management console next to the certificate i dont see IMAP and POP for my wildcard cert. just iis and smtp :(
    once i enter the set-commands exchange answers with this message:
    WARNUNG: Der Befehl wurde erfolgreich abgeschlossen, es wurden jedoch keine Einstellungen von ‘MX03-HAM-DE\1’ geändert.

    It is saying something like: Warning: Command was executed successful, but no settings where changed for mx03-ham-de.

    :(

    • I’m not sure I understand your problem. You won’t see IMAP and POP under Exchange management console. At least I don’t see them on Exchange 2010.

      Have you verified IMAP and POP settings via powershell? Do they work?

  3. Hi, thx for your reply.
    On the mgmt shell it looks like this (for autodiscover we use wildcard cert, too):

    [PS] C:\Windows\system32>Set-POPSettings -X509CertificateName xxx.xxx.com
    WARNUNG: Der Befehl wurde erfolgreich abgeschlossen, es wurden jedoch keine Einstellungen von 'MX03-HAM-DE\1' geändert.
    [PS] C:\Windows\system32>Set-IMAPSettings -X509CertificateName xxx.xxx.com
    WARNUNG: Der Befehl wurde erfolgreich abgeschlossen, es wurden jedoch keine Einstellungen von 'MX03-HAM-DE\1' geändert.
    [PS] C:\Windows\system32> Get-POPSettings
    
    UnencryptedOrTLSBindings  SSLBindings                       LoginType                         X509CertificateName
    ------------------------  -----------                       ---------                         -------------------
    {:::110, 0.0.0.0:110}     {:::995, 0.0.0.0:995}             SecureLogin                       xxx.xxx...
    
    
    [PS] C:\Windows\system32>
    [PS] C:\Windows\system32>Get-IMAPSettings
    
    UnencryptedOrTLSBindings  SSLBindings                       LoginType                         X509CertificateName
    ------------------------  -----------                       ---------                         -------------------
    {:::143, 0.0.0.0:143}     {:::993, 0.0.0.0:993}             PlainTextLogin                    xxx.xxx...
    
    
    [PS] C:\Windows\system32>Restart-service MSExchangePOP3
    WARNUNG: Warten auf Start des Diensts "Microsoft Exchange POP3 (MSExchangePOP3)"...
    [PS] C:\Windows\system32>Restart-service MSExchangeIMAP4
    WARNUNG: Warten auf Start des Diensts "Microsoft Exchange IMAP4 (MSExchangeIMAP4)"...
    WARNUNG: Warten auf Start des Diensts "Microsoft Exchange IMAP4 (MSExchangeIMAP4)"...
    
    [PS] C:\Windows\system32> Get-ExchangeCertificate
    
    Thumbprint                                Services   Subject
    ----------                                --------   -------
    E68ED783F607C550958C5751B460E3EDDBFE3B84  ...WS.     CN=*.xxx.com, OU=PositiveSSL Wildcard, OU=Domain Con...
    37586FFB50C8D3665BA0554456A560508C2B9000  ....S.     CN=mx03-ham-de
    7464DC695880B8A51DD34710784351E6F7F0F460  ......     CN=autodiscover.xxx.com, OU=Domain Validated, OU=Tha...
    
    
    [PS] C:\Windows\system32>
    • It indicates that the options you’re trying to set via the Set-POPSettings and Set-IMAPSettings commands are already set.

      And when you run Get-POPSettings and Get-IMAPSettings commands, you can see that the wildcard certificate has been configured.

    • Ah ok, so I will not see that it is working in the Exchange Management Console or on the Shell with the get-exchangecertificate cmd?

      Thx for your help :)

  4. Hey i am having a bit of an issue my previous enabled cert and url where both mail.xxx.com.au am trying to get the wildcard to be the enabled cert but having issues see below.

    [PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint C570F6FC8ED01D153AD28244B1A086B78EB643FE -Services IMAP
    WARNING: This certificate with thumbprint C570F6FC8ED01D153AD28244B1A086B78EB643FE and subject '*.xxx.com.au'
    cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
    Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

    But the FQDN has been set correctly as per below

    UnencryptedOrTLSBindings  SSLBindings            LoginType     X509CertificateName
    ------------------------  -----------            ---------     -------------------
    {:::143, 0.0.0.0:143}     {:::993, 0.0.0.0:993}  SecureLogin   mapi.certegy.com.au

    Tried Set-ImapSettings -X509CertificateName *.xxx.com.au … No luck

    Tried set-imapsettings -x509Certificatename mail.xxx.com.au worked but cannot set the cert.

    I am wondering if there is anything i am doing wrong?

  5. Issue is that when i attempt to assign the Certificate to the services

    1st this one.
    set-imapsettings -x509Certificatename mail.xxx.com.au

    2nd is this

    Enable-ExchangeCertificate -Thumbprint C570F6FC8ED01D153AD28244B1A086B78EB643FE -Services IMAP

    have also tried via the gui get the same error for each.

    cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

    From what i have gathered doing the above it should set the cert and not error. Am i incorrect and it will error either way but just work?

    • Once you set the FQDN you no longer need to enable the certificate. It will work despite the error being displayed (welcome to MS).

      Have you actually tried retrieving emails via IMAPS? Does it work?

  6. Nah haven’t tried as soon as I got the error I backed out….Will try again tonight. Even though I get the error will it be displayed as enabled under the EMC?

  7. Cool have done for the passive node will try on the active tonight anyway to see what cert is running for what services after I replace since I can’t use the emc?

  8. Cool tried and nope no way to see services to a certificate even via powershell.

    [PS] C:\Windows\system32>Get-ExchangeCertificate |fl

    AccessRules :
    CertificateDomains : {*.xxxx.com.au, xxxx.com.au}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : [email protected], CN=”Trustwave Organization Validation SHA256 CA, Level 1″, O=”Trustwave Holdin
    gs, Inc.”, L=Chicago, S=Illinois, C=US
    NotAfter : 9/01/2018 9:01:03 AM
    NotBefore : 8/01/2015 3:01:03 AM
    PublicKeySize : 2048
    RootCAType : ThirdParty
    SerialNumber : 065ED959941D865DC8159E25CC5FE8A8DA2A34
    Services : IIS, SMTP
    Status : Valid
    Subject :
    Thumbprint : C570F6FC8ED01D153AD28244B1A086B78EB643FE

    AccessRules :
    CertificateDomains : {AD-I-EXCHANGE01, AD-I-EXCHANGE01.xxx.xxx.com}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=AD-I-EXCHANGE01
    NotAfter : 10/09/2018 4:41:32 PM
    NotBefore : 10/09/2013 4:41:32 PM
    PublicKeySize : 2048
    RootCAType : None
    SerialNumber : 5F69F31970CB849247590421CF3481E2
    Services : SMTP
    Status : Valid
    Subject : CN=AD-I-EXCHANGE01
    Thumbprint : FC8ABF4DDB1B61B1CF338859807E1A3B978480ED

    • I normally use OpenSSL to check for SSL certificates, ciphers that are in use etc. For IMAPS it would be something like:

      openssl s_client -connect example.com:993

      Change the port and you can check SSL certificates for SMTPS, POP3S, IMAPS, HTTPS etc. You get the idea.

  9. [PS]> Set-IMAPSettings -X509CertificateName exchange2010.example.com

    From the command, what is “exchange2010”? from the command above

    Is it the exchange server name or exchange product or ???, as I am using Exchange 2013 SP1,

    • Thanks
      Just to clarify further, will I need to create a DNS record for the name used.

      Or use “Mail” or “OWA” which my current external URL OWA.domain_name or mail.domain_name?

      At the moment the POP and IMAP certificate is set to the default self-signed certificate created during Exchange installation which CN=Exchange servername

  10. This works great. Thank you!
    The issue now is with the Outgoing email over IMAP. is there a way to assign the wildcard cert to the outgoing (Port 587). Please advise.

    Thank you

  11. I replaced my SAN certificate with wildcard, and did as you said.
    can i now delete old certificate from EMC?

  12. Thanks for this! – If the previous cert was name.domain.com and the new cert is *.domain.com and you do the Get-POPSettings and Get-IMAPSettings and they still say name.domain.com is that good enough?

Leave a Reply

Your email address will not be published. Required fields are marked *