Configure Wildcard SSL Certificate for POP/IMAP on Exchange 2010 (PowerShell)

35 thoughts on “Configure Wildcard SSL Certificate for POP/IMAP on Exchange 2010 (PowerShell)”

1. Very helpful! Thanks for putting this up!

   Reply

2. one small type-o
   Restart-service MSExchangePOP
   should be
   Restart-service MSExchangePOP3
   Great post tho! Def helped!

   Reply

   • Thanks, fixed the typo.

3. Hello, i entered those commands but in the exchange management console next to the certificate i dont see IMAP and POP for my wildcard cert. just iis and smtp :(
   once i enter the set-commands exchange answers with this message:
   WARNUNG: Der Befehl wurde erfolgreich abgeschlossen, es wurden jedoch keine Einstellungen von ‘MX03-HAM-DE\1’ geändert.

   It is saying something like: Warning: Command was executed successful, but no settings where changed for mx03-ham-de.

   :(

   Reply

   • I’m not sure I understand your problem. You won’t see IMAP and POP under Exchange management console. At least I don’t see them on Exchange 2010.

     Have you verified IMAP and POP settings via powershell? Do they work?

4. Hi, thx for your reply.
   On the mgmt shell it looks like this (for autodiscover we use wildcard cert, too):

   [PS] C:\Windows\system32>Set-POPSettings -X509CertificateName xxx.xxx.com
   WARNUNG: Der Befehl wurde erfolgreich abgeschlossen, es wurden jedoch keine Einstellungen von 'MX03-HAM-DE\1' geändert.
   [PS] C:\Windows\system32>Set-IMAPSettings -X509CertificateName xxx.xxx.com
   WARNUNG: Der Befehl wurde erfolgreich abgeschlossen, es wurden jedoch keine Einstellungen von 'MX03-HAM-DE\1' geändert.
   [PS] C:\Windows\system32> Get-POPSettings
   
   UnencryptedOrTLSBindings  SSLBindings                       LoginType                         X509CertificateName
   ------------------------  -----------                       ---------                         -------------------
   {:::110, 0.0.0.0:110}     {:::995, 0.0.0.0:995}             SecureLogin                       xxx.xxx...
   
   
   [PS] C:\Windows\system32>
   [PS] C:\Windows\system32>Get-IMAPSettings
   
   UnencryptedOrTLSBindings  SSLBindings                       LoginType                         X509CertificateName
   ------------------------  -----------                       ---------                         -------------------
   {:::143, 0.0.0.0:143}     {:::993, 0.0.0.0:993}             PlainTextLogin                    xxx.xxx...
   
   
   [PS] C:\Windows\system32>Restart-service MSExchangePOP3
   WARNUNG: Warten auf Start des Diensts "Microsoft Exchange POP3 (MSExchangePOP3)"...
   [PS] C:\Windows\system32>Restart-service MSExchangeIMAP4
   WARNUNG: Warten auf Start des Diensts "Microsoft Exchange IMAP4 (MSExchangeIMAP4)"...
   WARNUNG: Warten auf Start des Diensts "Microsoft Exchange IMAP4 (MSExchangeIMAP4)"...
   
   [PS] C:\Windows\system32> Get-ExchangeCertificate
   
   Thumbprint                                Services   Subject
   ----------                                --------   -------
   E68ED783F607C550958C5751B460E3EDDBFE3B84  ...WS.     CN=*.xxx.com, OU=PositiveSSL Wildcard, OU=Domain Con...
   37586FFB50C8D3665BA0554456A560508C2B9000  ....S.     CN=mx03-ham-de
   7464DC695880B8A51DD34710784351E6F7F0F460  ......     CN=autodiscover.xxx.com, OU=Domain Validated, OU=Tha...
   
   
   [PS] C:\Windows\system32>

   Reply

   • It indicates that the options you’re trying to set via the Set-POPSettings and Set-IMAPSettings commands are already set.

     And when you run Get-POPSettings and Get-IMAPSettings commands, you can see that the wildcard certificate has been configured.

   • Ah ok, so I will not see that it is working in the Exchange Management Console or on the Shell with the get-exchangecertificate cmd?

     Thx for your help :)

   • You see a wildcard certificate is configured when you run Get-POPSettings and Get-IMAPSettings commands.

5. Hey i am having a bit of an issue my previous enabled cert and url where both mail.xxx.com.au am trying to get the wildcard to be the enabled cert but having issues see below.

   [PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint C570F6FC8ED01D153AD28244B1A086B78EB643FE -Services IMAP
   WARNING: This certificate with thumbprint C570F6FC8ED01D153AD28244B1A086B78EB643FE and subject '*.xxx.com.au'
   cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
   Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

   But the FQDN has been set correctly as per below

   UnencryptedOrTLSBindings  SSLBindings            LoginType     X509CertificateName
   ------------------------  -----------            ---------     -------------------
   {:::143, 0.0.0.0:143}     {:::993, 0.0.0.0:993}  SecureLogin   mapi.certegy.com.au

   Tried Set-ImapSettings -X509CertificateName *.xxx.com.au … No luck

   Tried set-imapsettings -x509Certificatename mail.xxx.com.au worked but cannot set the cert.

   I am wondering if there is anything i am doing wrong?

   Reply

   • I see that your IMAP settings are OK. What does not work in particular?

6. Issue is that when i attempt to assign the Certificate to the services

   1st this one.
   set-imapsettings -x509Certificatename mail.xxx.com.au

   2nd is this

   Enable-ExchangeCertificate -Thumbprint C570F6FC8ED01D153AD28244B1A086B78EB643FE -Services IMAP

   have also tried via the gui get the same error for each.

   cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

   From what i have gathered doing the above it should set the cert and not error. Am i incorrect and it will error either way but just work?

   Reply

   • Once you set the FQDN you no longer need to enable the certificate. It will work despite the error being displayed (welcome to MS).

     Have you actually tried retrieving emails via IMAPS? Does it work?

7. Nah haven’t tried as soon as I got the error I backed out….Will try again tonight. Even though I get the error will it be displayed as enabled under the EMC?

   Reply

   • It should be displayed as enabled under the EMC, but only for IIS and SMTP services.

8. Cool have done for the passive node will try on the active tonight anyway to see what cert is running for what services after I replace since I can’t use the emc?

   Reply

9. Cool tried and nope no way to see services to a certificate even via powershell.

   [PS] C:\Windows\system32>Get-ExchangeCertificate |fl

   AccessRules :
   CertificateDomains : {*.xxxx.com.au, xxxx.com.au}
   HasPrivateKey : True
   IsSelfSigned : False
   Issuer : [email protected], CN=”Trustwave Organization Validation SHA256 CA, Level 1″, O=”Trustwave Holdin
   gs, Inc.”, L=Chicago, S=Illinois, C=US
   NotAfter : 9/01/2018 9:01:03 AM
   NotBefore : 8/01/2015 3:01:03 AM
   PublicKeySize : 2048
   RootCAType : ThirdParty
   SerialNumber : 065ED959941D865DC8159E25CC5FE8A8DA2A34
   Services : IIS, SMTP
   Status : Valid
   Subject :
   Thumbprint : C570F6FC8ED01D153AD28244B1A086B78EB643FE

   AccessRules :
   CertificateDomains : {AD-I-EXCHANGE01, AD-I-EXCHANGE01.xxx.xxx.com}
   HasPrivateKey : True
   IsSelfSigned : True
   Issuer : CN=AD-I-EXCHANGE01
   NotAfter : 10/09/2018 4:41:32 PM
   NotBefore : 10/09/2013 4:41:32 PM
   PublicKeySize : 2048
   RootCAType : None
   SerialNumber : 5F69F31970CB849247590421CF3481E2
   Services : SMTP
   Status : Valid
   Subject : CN=AD-I-EXCHANGE01
   Thumbprint : FC8ABF4DDB1B61B1CF338859807E1A3B978480ED

   Reply

   • I normally use OpenSSL to check for SSL certificates, ciphers that are in use etc. For IMAPS it would be something like:

     openssl s_client -connect example.com:993

     Change the port and you can check SSL certificates for SMTPS, POP3S, IMAPS, HTTPS etc. You get the idea.

10. [PS]> Set-IMAPSettings -X509CertificateName exchange2010.example.com

    From the command, what is “exchange2010”? from the command above

    Is it the exchange server name or exchange product or ???, as I am using Exchange 2013 SP1,

    Reply

    • It’s simply a subdomain I use for Exchange 2010. It can be anything you like basically.

    • Thanks
      Just to clarify further, will I need to create a DNS record for the name used.

      Or use “Mail” or “OWA” which my current external URL OWA.domain_name or mail.domain_name?

      At the moment the POP and IMAP certificate is set to the default self-signed certificate created during Exchange installation which CN=Exchange servername

    • You need a valid DNS record if you are planning to use it, otherwise it won’t resolve.

11. This works great. Thank you!
    The issue now is with the Outgoing email over IMAP. is there a way to assign the wildcard cert to the outgoing (Port 587). Please advise.

    Thank you

    Reply

    • As far as I know, port 587 is used for SMTP e-mail message submission and not for IMAP.

12. I replaced my SAN certificate with wildcard, and did as you said.
    can i now delete old certificate from EMC?

    Reply

    • Create a backup, ensure the new certificate works, and then delete the old certificate.

13. Thanks for this! – If the previous cert was name.domain.com and the new cert is *.domain.com and you do the Get-POPSettings and Get-IMAPSettings and they still say name.domain.com is that good enough?

    Reply

    • Does it work? If it does, then it’s probably good enough.

14. It would be handy if you mentioned at the end of the article that you no longer need to run Enable-ExchangeCertificate . I assumed after adding the FQDN that I would and spent a few minutes trying to figure out why it still didn’t work. Luckily you had answered this already in the comments.

    Reply

    • Thanks for your feedback. If you follow the article, you will see that it explains what to do in order to fix the problem you get if you run Enable-ExchangeCertificate.

15. Hi Tomas,

    currently, i am using wildcard ss certificate ( purchased from godaddy) on our exchange server two client access servers(nlb configured) and two mailbox servers(DAG configured) and ssl is assigned to iis and smtp services shown ecp console. working fine for outlook and webmail users.
    Now i want to enable imap on our exchange server because we want to use imap mailbox for our Jira service desk application for receiving emails. what are steps to follow to enable imap on our exchange server and assign this wildcard ssl certificate to imap without affecting our current email setup. i will not use imap for our users, i need this imap only for one mailbox to be configured in our jira service desk as there is no exchange protocol option for receiving emails. only available options are pop anad imap.

    please advise how to enable imap on our exchange server and assingn existing wildcard ssl cert to this imap without disturbing our current setup.

    thanks in advance.

    Reply

    • I’m afraid I cannot help with your work assignment.

16. I see that for a lot of people it has not been working yet (for IMAP). I had the same issue and the above did not solve it.
    Apparently there’s a bug that came with an update of Exchange 2013.
    Type: Get-ServerComponentState
    Enter your server name (FQDN) as identity
    Then you’ll see that the ImapProxy state shows as Inactive.

    This can be fixed in registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\ServerComponentStates\ImapProxy Functional from 1:0:635797425487970123 to 1:1:635797425487970123

    Then restart your IMAP service:
    Restart-service MSExchangeIMAP4

    Hope this will help.

    Reply

    • Thank you for your feedback.

17. Thanks Cyril, you’re a life saver.

    I noticed two other services which were hanging, kind of hoping that’s what’s been causing issues with migrating users to O365 (ProvisioningRPS, ForwardsyncDaemon )

    Reply