It is assumed you have your SSL wildcard certificate already installed on an Exchange 2010 server.
We use Windows Server 2008 R2 Datacenter x64 in this example.
Open Exchange Management Shell as Administrator and get a list of SSL certificates that are available:
[PS]> Get-ExchangeCertificate Thumbprint Services Subject ---------- -------- ------- 1F70359DC0BE9CAD58F965A3C110 ...WS. CN=*.example.com, OU=IT Dep, O=Example Comp... 0F7FF199B11E662621D80700D04F ....S. CN=ExampleDC
When you enable the wildcard *.example.com certificate for POP service, you normally get the following error:
[PS]> Enable-ExchangeCertificate -Thumbprint 1F70359DC0BE9CAD58F965A3C110 -Services POP WARNING: This certificate with thumbprint 1F70359DC0BE9CAD58F965A3C110 and subject '*.example.com' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.
The same applies to IMAP:
[PS]> Enable-ExchangeCertificate -Thumbprint 1F70359DC0BE9CAD58F965A3C110 -Services IMAP WARNING: This certificate with thumbprint 1F70359DC0BE9CAD58F965A3C110 and subject '*.example.com' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
Set FQDN for POP service to fix the error:
[PS]> Set-POPSettings -X509CertificateName exchange2010.example.com
Do the same for IMAP service:
[PS]> Set-IMAPSettings -X509CertificateName exchange2010.example.com
Verify POP settings:
[PS]> Get-POPSettings
UnencryptedOrTLSBindings SSLBindings LoginType X509CertificateName
------------------------ ----------- --------- -------------------
{:::110, 0.0.0.0:110} {:::995, 0.0.0.0:995} SecureLogin exchange2010.example...
Verify IMAP settings:
[PS]> Get-IMAPSettings
UnencryptedOrTLSBindings SSLBindings LoginType X509CertificateName
------------------------ ----------- --------- -------------------
{:::143, 0.0.0.0:143} {:::993, 0.0.0.0:993} SecureLogin exchange2010.example...
Restart POP and IMAP services:
[PS]> Restart-service MSExchangePOP3 [PS]> Restart-service MSExchangeIMAP4
Very helpful! Thanks for putting this up!
one small type-o
Restart-service MSExchangePOP
should be
Restart-service MSExchangePOP3
Great post tho! Def helped!
Thanks, fixed the typo.
Hello, i entered those commands but in the exchange management console next to the certificate i dont see IMAP and POP for my wildcard cert. just iis and smtp :(
once i enter the set-commands exchange answers with this message:
WARNUNG: Der Befehl wurde erfolgreich abgeschlossen, es wurden jedoch keine Einstellungen von ‘MX03-HAM-DE\1’ geändert.
It is saying something like: Warning: Command was executed successful, but no settings where changed for mx03-ham-de.
:(
I’m not sure I understand your problem. You won’t see IMAP and POP under Exchange management console. At least I don’t see them on Exchange 2010.
Have you verified IMAP and POP settings via powershell? Do they work?
Hi, thx for your reply.
On the mgmt shell it looks like this (for autodiscover we use wildcard cert, too):
[PS] C:\Windows\system32>Set-POPSettings -X509CertificateName xxx.xxx.com WARNUNG: Der Befehl wurde erfolgreich abgeschlossen, es wurden jedoch keine Einstellungen von 'MX03-HAM-DE\1' geändert. [PS] C:\Windows\system32>Set-IMAPSettings -X509CertificateName xxx.xxx.com WARNUNG: Der Befehl wurde erfolgreich abgeschlossen, es wurden jedoch keine Einstellungen von 'MX03-HAM-DE\1' geändert. [PS] C:\Windows\system32> Get-POPSettings UnencryptedOrTLSBindings SSLBindings LoginType X509CertificateName ------------------------ ----------- --------- ------------------- {:::110, 0.0.0.0:110} {:::995, 0.0.0.0:995} SecureLogin xxx.xxx... [PS] C:\Windows\system32> [PS] C:\Windows\system32>Get-IMAPSettings UnencryptedOrTLSBindings SSLBindings LoginType X509CertificateName ------------------------ ----------- --------- ------------------- {:::143, 0.0.0.0:143} {:::993, 0.0.0.0:993} PlainTextLogin xxx.xxx... [PS] C:\Windows\system32>Restart-service MSExchangePOP3 WARNUNG: Warten auf Start des Diensts "Microsoft Exchange POP3 (MSExchangePOP3)"... [PS] C:\Windows\system32>Restart-service MSExchangeIMAP4 WARNUNG: Warten auf Start des Diensts "Microsoft Exchange IMAP4 (MSExchangeIMAP4)"... WARNUNG: Warten auf Start des Diensts "Microsoft Exchange IMAP4 (MSExchangeIMAP4)"... [PS] C:\Windows\system32> Get-ExchangeCertificate Thumbprint Services Subject ---------- -------- ------- E68ED783F607C550958C5751B460E3EDDBFE3B84 ...WS. CN=*.xxx.com, OU=PositiveSSL Wildcard, OU=Domain Con... 37586FFB50C8D3665BA0554456A560508C2B9000 ....S. CN=mx03-ham-de 7464DC695880B8A51DD34710784351E6F7F0F460 ...... CN=autodiscover.xxx.com, OU=Domain Validated, OU=Tha... [PS] C:\Windows\system32>It indicates that the options you’re trying to set via the Set-POPSettings and Set-IMAPSettings commands are already set.
And when you run Get-POPSettings and Get-IMAPSettings commands, you can see that the wildcard certificate has been configured.
Ah ok, so I will not see that it is working in the Exchange Management Console or on the Shell with the get-exchangecertificate cmd?
Thx for your help :)
You see a wildcard certificate is configured when you run Get-POPSettings and Get-IMAPSettings commands.
Hey i am having a bit of an issue my previous enabled cert and url where both mail.xxx.com.au am trying to get the wildcard to be the enabled cert but having issues see below.
But the FQDN has been set correctly as per below
UnencryptedOrTLSBindings SSLBindings LoginType X509CertificateName ------------------------ ----------- --------- ------------------- {:::143, 0.0.0.0:143} {:::993, 0.0.0.0:993} SecureLogin mapi.certegy.com.auTried Set-ImapSettings -X509CertificateName *.xxx.com.au … No luck
Tried set-imapsettings -x509Certificatename mail.xxx.com.au worked but cannot set the cert.
I am wondering if there is anything i am doing wrong?
I see that your IMAP settings are OK. What does not work in particular?
Issue is that when i attempt to assign the Certificate to the services
1st this one.
set-imapsettings -x509Certificatename mail.xxx.com.au
2nd is this
Enable-ExchangeCertificate -Thumbprint C570F6FC8ED01D153AD28244B1A086B78EB643FE -Services IMAP
have also tried via the gui get the same error for each.
cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
From what i have gathered doing the above it should set the cert and not error. Am i incorrect and it will error either way but just work?
Once you set the FQDN you no longer need to enable the certificate. It will work despite the error being displayed (welcome to MS).
Have you actually tried retrieving emails via IMAPS? Does it work?
Nah haven’t tried as soon as I got the error I backed out….Will try again tonight. Even though I get the error will it be displayed as enabled under the EMC?
It should be displayed as enabled under the EMC, but only for IIS and SMTP services.
Cool have done for the passive node will try on the active tonight anyway to see what cert is running for what services after I replace since I can’t use the emc?
Cool tried and nope no way to see services to a certificate even via powershell.
[PS] C:\Windows\system32>Get-ExchangeCertificate |fl
AccessRules :
CertificateDomains : {*.xxxx.com.au, xxxx.com.au}
HasPrivateKey : True
IsSelfSigned : False
Issuer : [email protected], CN=”Trustwave Organization Validation SHA256 CA, Level 1″, O=”Trustwave Holdin
gs, Inc.”, L=Chicago, S=Illinois, C=US
NotAfter : 9/01/2018 9:01:03 AM
NotBefore : 8/01/2015 3:01:03 AM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 065ED959941D865DC8159E25CC5FE8A8DA2A34
Services : IIS, SMTP
Status : Valid
Subject :
Thumbprint : C570F6FC8ED01D153AD28244B1A086B78EB643FE
AccessRules :
CertificateDomains : {AD-I-EXCHANGE01, AD-I-EXCHANGE01.xxx.xxx.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=AD-I-EXCHANGE01
NotAfter : 10/09/2018 4:41:32 PM
NotBefore : 10/09/2013 4:41:32 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 5F69F31970CB849247590421CF3481E2
Services : SMTP
Status : Valid
Subject : CN=AD-I-EXCHANGE01
Thumbprint : FC8ABF4DDB1B61B1CF338859807E1A3B978480ED
I normally use OpenSSL to check for SSL certificates, ciphers that are in use etc. For IMAPS it would be something like:
Change the port and you can check SSL certificates for SMTPS, POP3S, IMAPS, HTTPS etc. You get the idea.
[PS]> Set-IMAPSettings -X509CertificateName exchange2010.example.com
From the command, what is “exchange2010”? from the command above
Is it the exchange server name or exchange product or ???, as I am using Exchange 2013 SP1,
It’s simply a subdomain I use for Exchange 2010. It can be anything you like basically.
Thanks
Just to clarify further, will I need to create a DNS record for the name used.
Or use “Mail” or “OWA” which my current external URL OWA.domain_name or mail.domain_name?
At the moment the POP and IMAP certificate is set to the default self-signed certificate created during Exchange installation which CN=Exchange servername
You need a valid DNS record if you are planning to use it, otherwise it won’t resolve.
This works great. Thank you!
The issue now is with the Outgoing email over IMAP. is there a way to assign the wildcard cert to the outgoing (Port 587). Please advise.
Thank you
As far as I know, port 587 is used for SMTP e-mail message submission and not for IMAP.
I replaced my SAN certificate with wildcard, and did as you said.
can i now delete old certificate from EMC?
Create a backup, ensure the new certificate works, and then delete the old certificate.
Thanks for this! – If the previous cert was name.domain.com and the new cert is *.domain.com and you do the Get-POPSettings and Get-IMAPSettings and they still say name.domain.com is that good enough?
Does it work? If it does, then it’s probably good enough.
It would be handy if you mentioned at the end of the article that you no longer need to run Enable-ExchangeCertificate . I assumed after adding the FQDN that I would and spent a few minutes trying to figure out why it still didn’t work. Luckily you had answered this already in the comments.
Thanks for your feedback. If you follow the article, you will see that it explains what to do in order to fix the problem you get if you run Enable-ExchangeCertificate.
Hi Tomas,
currently, i am using wildcard ss certificate ( purchased from godaddy) on our exchange server two client access servers(nlb configured) and two mailbox servers(DAG configured) and ssl is assigned to iis and smtp services shown ecp console. working fine for outlook and webmail users.
Now i want to enable imap on our exchange server because we want to use imap mailbox for our Jira service desk application for receiving emails. what are steps to follow to enable imap on our exchange server and assign this wildcard ssl certificate to imap without affecting our current email setup. i will not use imap for our users, i need this imap only for one mailbox to be configured in our jira service desk as there is no exchange protocol option for receiving emails. only available options are pop anad imap.
please advise how to enable imap on our exchange server and assingn existing wildcard ssl cert to this imap without disturbing our current setup.
thanks in advance.
I’m afraid I cannot help with your work assignment.
You can setup oauth authentication to your exchange server or o365 exchange
I see that for a lot of people it has not been working yet (for IMAP). I had the same issue and the above did not solve it.
Apparently there’s a bug that came with an update of Exchange 2013.
Type: Get-ServerComponentState
Enter your server name (FQDN) as identity
Then you’ll see that the ImapProxy state shows as Inactive.
This can be fixed in registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\ServerComponentStates\ImapProxy Functional from 1:0:635797425487970123 to 1:1:635797425487970123
Then restart your IMAP service:
Restart-service MSExchangeIMAP4
Hope this will help.
Thank you for your feedback.
Hi Cyril,
Thanks so much, you solved a problem I had for a while !
Thanks Cyril, you’re a life saver.
I noticed two other services which were hanging, kind of hoping that’s what’s been causing issues with migrating users to O365 (ProvisioningRPS, ForwardsyncDaemon )
Unfortunately this didn’t work for me. Old cert was a multiname cert. Upgraded to a wildcard cert.
X509CertificateName for both have already been set. Still get the same error.
WARNING: This certificate with thumbprint ***** and subject ‘*.domain.com’ cannot used for POP SSL/TLS connections
because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.
Or am I understanding this wrong? Is it that you DO NOT have to bind the service? Simply setting the FQDN is enough?
I stopped working with Exchange several years ago, so you’re better off consulting Microsoft documentation.
Confirmed. You can NEVER bind IMAP or POP3 to the wildcard cert. Simply setting the FQDN via powershell is enough.
Thank you for this quick reference. I have this bookmarked as its helped me resolve some unrelated issues with exchange. However, according to the Microsoft documentation for Set-POPSettings and Set-IMAPSettings, you dont need to assign the wildcard to the IMAP or POP services. You only need to assign the wildcard to the SMTP and IIS service. (IIS only if you need to support OWA.)
Excerpt from Microsoft docs:
“If you use a wildcard certificate, you don’t need to assign the certificate to the Exchange POP service.”
“If you use a wildcard certificate, you don’t need to assign the certificate to the Exchange IMAP service.”
References:
1. https://docs.microsoft.com/en-us/powershell/module/exchange/client-access/set-popsettings?view=exchange-ps#parameters
2. https://docs.microsoft.com/en-us/powershell/module/exchange/client-access/set-imapsettings?view=exchange-ps#parameters
You’re welcome!
That would explain why it only shows smtp and iis service, however you still need to set the fqdn
Hello,
for exchange 2013 :
Get-ServerComponentState -Identity server
if imapproxy is down :
Set-ServerComponentState -Identity -Component IMAPProxy -State Active -Requester HealthAPI
Best regards,
PP
Hello, our wildcard cert is already binded with IMAPS after following the instructions above more than a year ago and now is expiring soon. I presume that I only need to run “Enable-ExchangeCertificate -Thumbprint xxxx -Services IMAP” to import a new wildcard certificate right since the renewed cert has a new thumbprint, am I correct?
It’s just the same subject name basically
It has been years since I last used Exchange, but if I think that what you are saying is the correct process.