Issue using wildcard SSL cert for Exchange 2007 POP/IMAP services
I have a wildcard cert from GoDaddy that I have successfully imported and enabled on a new Exchange 2007 SP1 Standard server (with latest rollup installed). I was able to enable the cert for IIS services just fine, and OWA, Outlook Anywhere, and ActiveSync are all working. However, when I try to enable the cert for IMAP or POP services, I get a message like this...WARNING: This certificate will not be used for external TLS connections with an FQDN of '*.XXXXXXXXXXXXXXX.com' becausethe self-signed certificate with thumbprint 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' takes precedence. The followingconnectors match that FQDN: POP3.WARNING: This certificate will not be used for external TLS connections with an FQDN of '*.XXXXXXXXXXXXXX.com' becausethe self-signed certificate with thumbprint 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' takes precedence. The followingconnectors match that FQDN: IMAP4.The weird thing is that the thumbprint that the message says will take precedence is actually the thumbprint for the wildcard cert, and not the autogenerated self signed cert. The wildcard cert is also not self-signed as the message says, and I verified this by looking at the "IsSelfSigned" attribute from the Get-ExchangeCerteificate | FL command. So it is almost like the message is listing the wrong thumbprint, and instead means the self signed autogenerated cert is taking precedence.Has anyone run into this issue and/or found a way around it?
December 8th, 2008 3:56pm
In the Certificate Use in Exchange Microsoft document, it states this...."In Exchange2007 RTM, there are two major exceptions in the certificate selection processes for POP3 and IMAP4. Certificates issued by a trusted CA are not preferred over self-signed certificates. Instead, Exchange2007 selects the newest certificate. Also, in Exchange2007 RTM, POP3 and IMAP4 do not support wildcard domains on certificates. This means that if the X509CertificateName attribute is set to mail.fourthcoffee.com for either the POP3 settings or IMAP4 settings, Exchange2007 will not support a certificate that only contains *.fourthcoffee.com as a certificate domain."Although I think you should be able to use a wildcard cert in SP1 based on what it says in the rest of the document, but I'm not really sure. The fact that my wildcard cert has an older issue date than the auto generated self signed cert may also be causing the issue.Also saw that a very similar problem is supposedly fixed in Update Rollup 4 (http://support.microsoft.com/kb/948896/) which is installed, but I'm not getting any event log error messages, just the message when I try to enable the cert. I'm pretty sure this is a bug at this point that is not really fixed.
Free Windows Admin Tool Kit Click here and download it now
December 8th, 2008 7:20pm
Anyway to fix it? My env. is Exchange 2007 SP1 + update rollup 6I encountered exactly the same problem.-Randy
March 11th, 2009 1:22am
I just ran into this issue today. Ever find a fix?
Free Windows Admin Tool Kit Click here and download it now
February 13th, 2012 9:54am
Hi,
Do you have any error in the event log related to the certificate?
Try to install at least The Exchange SP1 with RU4.
renable the certificate for POP and IMAP.
Best regardsBest Regards Don't forget to mark it as answer if it helps
February 20th, 2012 9:09am
Please note the original posting date, and that of today.
Exchange 2007 SP1 is no longer supported (neither is SP2 for Exchange 2007). Please update to SP3 + the rollup that you have tested - to receive support.
Cheers, Rhoderick
Free Windows Admin Tool Kit Click here and download it now
February 20th, 2012 9:39pm