Exchange 2010 can’t find SSL certificate that exists

exchange-2010pop3ssl-certificatex509

I'm trying to set up TLS for the POP3 server in the Exchange CAS role.

I purchased a cert from NameCheap, and the CA path is fully trusted, and installed it within the Certificates MMC snap-in without any trouble.

However Exchange 2010 doesn't seem to like it: I see this in the event viewer:

Event ID: 2007
Source: MSExchangePOP3
A certificate for the host name "mail.mydomain.net" couldn't be found. SSL or TLS encryption can't be made to the POP3 service.

…despite the fact that such a certificate does exist:

[PS] C:\Windows\system32>Get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
DAFFAE2391F40412386DCFC3AC8E822AAE181312  .P.W..     CN=mail.mydomain.net, OU=PositiveSSL, OU=Domain Control Validated
1C363A4D6A40921230BBD02C47A3260863D05CAA  I...S.     CN=machineName
BCSH281A051860123D70C0BD2E1EB6DBABDC98DD  ......     CN=WMSvc-MACHINENAME

I've started the server (and services) numerous times. I don't understand why it doesn't work.

Best Answer

It looks like you have the certificate enabled and installed for POP3 services. You could try a to rerun Enable-ExchangeCertificate. I'm assuming you requested the certificate with New-ExchangeCertificate, which if not may be worthwhile for a clean Exchange certificate retry.

However, there are issues where the certificate in question can have certain problems that make Exchange 2010 fail. Try to use the self-signed default certificate to test temporarily and/or have NameCheap re-issue the certificate. Ref: Error ID 2007 Exchange 2010

If I'm way off please post details of Get-ExchangeCertificate DAFFAE2391F40412386DCFC3AC8E822AAE181312 | fl

Related Solutions

Wildcard ssl certificate – exchange 2010 – POP/IMAP problem

Unfortunately, your best option is to get a UC cert, which means ditching the wildcard and purchasing a new one entirely. See my answer HERE for a similar question.

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Best Answer

Related Solutions

Wildcard ssl certificate – exchange 2010 – POP/IMAP problem

SSL Certificate – How to Download SSL Certificate from a Website

Related Topic