Using Private Certificate Authority for IMAP SSL
I have an Exchange 2007 Server (Standard, SP1) running on Windows Server 2003 R2 SP2. Our organization has its own CA (running on a non-Windows box). I've been trying and trying (and trying) to get TLS working with a cert signed by our CA, but with no luck. I imported our CA cert and its CRL using CertUtil -addstore root. Then I used New-Exchange to generate a CSR, and signed that using our CA. Then I imported the signed cert with Import-ExchangeCertificate and used Enable-ExchangeCertificate for the IMAP, POP, IIS, and SMTP services. At this point the Cert worked fine for IIS (connecting to the default web site with https:// used the CA-signed certificate), but whenever I started the IMAP service, in Event viewer I would see an error from MSExchangeIMAP4, Event ID 2007: 'A certificate for the hostname "servername.domainname.foo.org" could not be found. SSL or TLS encryption cannot be made to the IMAP service.' In the Exchange Shell, if I did "Get-ExchangeCertificate | FL *", I'd see that the SubjectName looked right, and so did the CertificateDomains list. The RootCAType was "Registry" and the Status was "Valid". Then I thought, OK, maybe our root CA cert needs to be installed with a GroupPolicy instead. I removed the root CA certificate from the registry, and placed it in the Default GPO for the domain. (I don't see how it's possible to install the CRL using a GPO, so that's still in the local store). Now the Exchange cert is listed with RootCAType "GroupPolicy", and the status is again "Valid." But still no love: I get the same error message when I restart the IMAP service. Here's the current output of Get-ExchangeCertificate | FL * (with consistent obfuscation) : AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {servername.domainname.foo.org} CertificateRequest : IisServices : {IIS://servername/W3SVC/1} IsSelfSigned : False KeyIdentifier : C87XXXXXXXXXXXXXXXXXXXXXXX35 RootCAType : GroupPolicy Services : IMAP, POP, IIS, SMTP Status : Valid PrivateKeyExportable : True Archived : False Extensions : {} FriendlyName : Microsoft Exchange IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName NotAfter : 5/10/2018 4:33:47 PM NotBefore : 5/9/2008 4:33:47 PM HasPrivateKey : True PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider PublicKey : System.Security.Cryptography.X509Certificates.PublicKey RawData : {48, 130, 2, ...} SerialNumber : 01 SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName SignatureAlgorithm : System.Security.Cryptography.Oid Thumbprint : 52DXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Version : 1 Handle : 493968480Issuer : CN=OUR CA, O=OUR Orgname, C=US Subject : CN=servername.domainname.foo.org Any ideas? Has anybody been able to get this to work without usinga commerical certificate authority? Thanks.
May 12th, 2008 6:36pm

Hello: I have an Exchange 2007 Server , IMAP is running in plain text only using port 143. I am running into the same exact problem with regards to IMAP-SSL-Port 993.There is an addtional error I am seeing in my event log. The IMAP4 service failed to connect using SSL or TLS encryption. A valid certificate is not configured to respond to SSL/TLS connections. Check the configured hostname as well as which certificates are installed in the Personal Certificates store of the Computer.Are you receiving the same error? When I find a solution I will post it.Thanks
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2008 10:26pm

Hi, When POP and IMAP are added as additional services to a certificate, the x509CertificateName attribute on the POPSettings object or IMAPSettings object is updated to include the domain in the subject of the certificate. So you can run Get-IMAPSettings | fl to check that. Besides, you can enable Certificate Logging to gather more information for further research. How to Enable Certificate Logging http://technet.microsoft.com/en-us/library/bb851489(EXCHG.80).aspx More information share for you: Enable-ExchangeCertificate http://technet.microsoft.com/en-us/library/aa997231(EXCHG.80).aspx Configure IMAP4 to Use TLS or SSL http://technet.microsoft.com/en-us/library/aa996052(EXCHG.80).aspx Note: It is a best practice to use a certificate issued by a public CA for trust validation. In fact, when certificate authentication is required, using a self-signed certificate is not a best practice and is strongly discouraged. We recommend that you use a certificate from a public CA for the following: POP3 and IMAP4 client access to Exchange Outlook Web Access Outlook Anywhere Exchange ActiveSync Autodiscover Domain Security The best practice for all these is to use a public CA that is trusted by all clients by default. Hope it helps. Xiu
May 16th, 2008 4:31am

Thanks very much for your help. I hadn't seen the first link, but Ihadread the other two. I've enabled certificate logging now, but I'm still not getting anywhere. Here's what gets written to certificate.log: certificate.log:Microsoft.Exchange.Security.Certificate Information: 0 : Searching for a certificate that has one of the following FQDNs : myserv.mydomain.foo.org ThreadId=1 DateTime=2008-05-19T17:26:20.9485000ZMicrosoft.Exchange.Security.Certificate Information: 0 : No certificate match found. ThreadId=1 DateTime=2008-05-19T17:26:20.9641250Z Unfortunately, that's not telling much more than the Event Viewer errors. It looks like the X509CertificateName attribute in the IMAP settings matches what's in the certificate: [PS] C:\Documents and Settings\Administrator>Get-ImapSettings | fl | findstr X509X509CertificateName : myserv.mydomain.foo.org[PS] C:\Documents and Settings\Administrator> [PS] C:\Documents and Settings\Administrator>Get-ExchangeCertificate | fl AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {myserv.mydomain.foo.org}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : CN=ORGANIZATION CA, O=ORGANIZATION Center, C=USNotAfter : 5/16/2018 5:47:09 PMNotBefore : 5/15/2008 5:47:09 PMPublicKeySize : 2048RootCAType : RegistrySerialNumber : 09Services : IMAP, POP, IIS, SMTPStatus : ValidSubject : CN=myserv.mydomain.foo.orgThumbprint : 9ABCDEF123456789ABCDEF123456789ABCDEF123 Any other ideas? This is driving me nuts. -David
Free Windows Admin Tool Kit Click here and download it now
May 19th, 2008 10:11pm

Hi, Please try to run Get-Exchangecetificate to find all the certificates, then use Get-Exchangecetificate (thumbprint) |fl to check which certificates that IMAP services use. Then check the certificate thumbprint from MMC to ensure that the thumbprint is equal to the one that he installed. Besides, I will confirm whether the IMAP is working proper now.The issue only occur when you restart IMAP services? Best regards, Xiu
May 21st, 2008 5:14am

[Arggh, just wasted ten minutes constructing a response just as the TechNet Forums decided to crash.Here we go again.] There is only one certificate. Here it is: [PS] C:\Documents and Settings\Administrator>Get-ExchangeCertificate | FL AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule}CertificateDomains : {myserv.mydomain.foo.org}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : CN=ORGANIZATION NAME CA, O=ORGANIZATION NAME, C=USNotAfter : 5/20/2018 5:36:00 PMNotBefore : 5/19/2008 5:36:00 PMPublicKeySize : 2048RootCAType : RegistrySerialNumber : 0XXXXXXXXXXXXXXXX1Services : IMAP, POP, IIS, SMTPStatus : ValidSubject : CN=myserv.mydomain.foo.orgThumbprint : 3XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX8 As you see, Exchange thinks it's valid. Here "myserv.mydomain.foo.org" is indeed our Exchange server. The thumbprint matches the thumbprint of the certificate asI see it in MMC, located at this point in the tree: Console Root > Certificates (Local Computer) > Personal > Registry > Certificates, issued to myserv.mydomain.foo.org. It says there's a private key corresponding to the certificate. The certification path goes up to our private CA, and the certificate status is "The certificate is OK." The certificate is enabled for all purposes. Yes, I get the error when I restart the IMAP service (which I know to do whenever I change an IMAP setting or certificate setting). I also get errors when a client tries to make a secure IMAP connection: "The IMAP4 service failed to connect using SSL or TLS encryption. A valid certificate is not configured to respond to SSL/TLS connections. Check the configured hostname as well as which certificates are installed in the Personal Certificates store of the Computer." I can't make secure IMAP connections. I've been banging my head on this for awhile. I'm begining to suspect that, due to a bug, it's simply not possible to use a private CA with Exchange 2007, and nobody has noticed. If there is even one person out there who has managed to get this working, please let me know, if only to say, "Yes, it can work, I've done it, good luck." Thanks!
Free Windows Admin Tool Kit Click here and download it now
May 28th, 2008 8:35pm

David,All the things I want to tell you to check have already been checked. I do not see a logical reason why a cert from a non-public CA should be any different than one from yoru CA.If you take a look at the CA in the Personal store of the CAS server can you verify the whole chain? It sounds like you already imported the cert from your root CA into the Trusted Root store. Did this cert come from an intermediate CA?A stupid question is: have you tried changing the IMAP service to only accept TLS? Josh
May 29th, 2008 5:19am

Yep, I can verify the whole chain. See these screen captures: http://i158.photobucket.com/albums/t87/deisner/cert_debug_sc1.png http://i158.photobucket.com/albums/t87/deisner/cert_debug_sc2.png The private CAcert wasimported into the trusted root store, and I can see it at Console Root > Certificates (Local Computer) > Trusted Root Certification Authorities > Registry Cerftificates. Exchange can apparently find it (and the CRL), too, as it reports that the Exchange certificate is valid when Ido a "Get-ExchangeCertificate | FL" in the Exchange Management shell. Andno, this cert didn't come from an intermediate CA. There are only two nodes in the certification chain: the Exchange certificate, and the cert for our private CA. As I mentioned, the certificate, which is enabled for IMAP,POP,IIS, and SMTP, works fine for IIS. For example, from a WinXP PC where I've installed the root cert for our private CA, I can connect to https://myserv.mydomain.foo.org/ or https://myserv.mydomain.foo.org/owa, and IIS uses the certificate for the connection and IE is happy with the cert and shows the correct (two-node) certification path up toour private CA. I'm not sure if I tried it before, but I did try now: even when I tell the IMAP service to only accept TLS connections (in the Exchange Console, Server Configuration > Client Access > IMAP4 Properties dialog > Authentication tab > Logon Method Iselected thefinal radio button, "Secure logon: A TLS connection is required for theclient to authenticate to the server."). I restarted the IMAP service, but it doesn't solve the problem. It still says it can't find a certificate as described above. Thanks for the ideas, please keep them coming, I do appreciate it!
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2008 7:59pm

I finally solved the problem. For any hapless souls who find themsevles in the same situation, here's the post mortem. I had been running our private CA (on a Linux box) by hand, generating the "openssl ..." commands myself. The certificates so generated have been working fine in various contexts (Apache and IIS web servers), but for some reason Exchange was unhappy with them. So I decided to try using TinyCA (http://tinyca.sm-zone.net/) instead. I installed the new CA cert and CRL on the Exchange server (usingcertutil -addstore), generated a CSR, signed it in TinyCA, installed the resulting cert on the Exchange server, restarted the IMAP service, and Voila, I have secure IMAP working. Comparing the server certificate generated by hand with the cert generated using TinyCA, I notice a few differences: 1. The "hand-made" certis Version 1, while the TinyCA cert is Version 3. 2. The TinyCA cert includes an X509v3 extensions section, and the hand-made cert does not. 3. The X509v3 extensions in the TinyCA cert consist of: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: TinyCA Generated Certificate X509v3 Subject Key Identifier:XX:XX:...:XX X509v3 Authority Key Identifier: keyid:XX:...:XX DirName:/C=US/ST=XXXXX Certificate Authority serial:XX:XX:....XX X509v3 Issuer Alternative Name: <EMPTY> X509v3 Subject Alternative Name: <EMPTY> Everything else appears to be the same: same signature algorithm (sha1WithRSAEncryption), same public key algorithm (rsaEncryption), and same number of bits. So there you go.
July 9th, 2008 12:20am

I ran into the same problem but using a Windows Server 2003 CA.After hours of pain I fixed it by importing the CA's Root certificate into the Exchange 2007 server again but selecting to "Place the Certificate in the following store" click browse then "Show Physical stores" then choosing "Trusted Root Certification Authorities" then "Local computer".I stopped and started the IMAP service and it's not throwing the error any more.Now when I run get-ExchangeCertificates | fl I get:-RootCAType : RegistryBefore it was set to uknown.Hope this helps.Greg
Free Windows Admin Tool Kit Click here and download it now
January 21st, 2009 2:52pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics