Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSL certificate question.

464 views
Skip to first unread message

JYA

unread,
Jan 10, 2008, 5:31:38 AM1/10/08
to
Hello

I have been trying to use our own SSL CA certificate without a 100%
success with an Exchange 2007 server.

Basically, using our own CA certificate, pretty much all services work
with SSL except IMAP ; which terminates immediately the connection:
server2# telnet 192.168.0.12 imaps
Trying 192.168.0.12...
Connected to 192.168.0.12.
Escape character is '^]'.
* BYE Connection is closed. 14
Connection closed by foreign host.
server2#

In the log I see the error:
"The IMAP4 service failed to connect using SSL or TLS encryption. A
valid certificate is not configured to respond to SSL/TLS
connections. Check the configured hostname as well as which
certificates are installed in the Personal Certificates store of the
Computer."

In the exchange console command utility, all appear fine:
[PS] C:\Documents and Settings\avenardj>Get-ExchangeCertificate | FL
AccessRules :
{System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule,
System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {exchange.hydrix.com, baltar.exchange.hydrix.com,
baltar}
HasPrivateKey : True
IsSelfSigned : False
Issuer : E=domain...@hydrix.com, O=Hydrix, L=Melbourne,
S=VIC, C
=AU, CN=Hydrix Root CA
NotAfter : 30/12/2009 9:10:33 PM
NotBefore : 10/01/2008 9:10:33 PM
PublicKeySize : 1024
RootCAType : Unknown
SerialNumber : 12
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=exchange.hydrix.com, OU=Hydrix Research,
O=Hydrix, S=VI
C, C=AU
Thumbprint : A32C65A4816E6F2154E7A49F9EA5A9FBE75C64FD

Andy David {MVP}

unread,
Jan 10, 2008, 7:04:09 AM1/10/08
to
On Thu, 10 Jan 2008 02:31:38 -0800 (PST), JYA <jyav...@gmail.com>
wrote:

>Hello
>
>I have been trying to use our own SSL CA certificate without a 100%
>success with an Exchange 2007 server.
>
>Basically, using our own CA certificate, pretty much all services work
>with SSL except IMAP ; which terminates immediately the connection:
>server2# telnet 192.168.0.12 imaps
>Trying 192.168.0.12...
>Connected to 192.168.0.12.
>Escape character is '^]'.
>* BYE Connection is closed. 14
>Connection closed by foreign host.
>server2#
>

Did you enable the certificate and apply it to the services via
Powershell?

JYA

unread,
Jan 10, 2008, 8:06:39 AM1/10/08
to
Hi

> Did you enable the certificate and apply it to the services via
> Powershell?

Yes, I ran the command:
Import-ExchangeCertificate -Path c:\path_to_der_file
then enabled the certificate with:
Enable-ExchangeCertificate -thumbprint xxxxxxxxxx -Services
"IMAP,POP,SMTP,IIS"

however, even after doing so, when restarting the IMAP service, it
shows the error about not being able to find the certificate.
However, if I go into Internet Explorer -> Toos -> Internet Options ->
Content -> Certificate I can see both the CA certificate (In trusted
Root Certificate) and this SSL certificate.

I am confused however as to why Get-ExchangeCertificate | Fl would
give me a RootCAType as Unknown which according to Microsoft means
that it is unable to find the CA certificate in the list.
It seems that I would have to find the explanation for this before I
could move forward.

I have found various posts about IMAP and SMTP not finding the SSL
certificate, even though they are imported and installed from the
command line and IIS can use it without problems. But the usual
explanation was that the person was using a wildcard certificate
(which I'm not) or had put a E=email in the Subject properties of the
SSL certificate . None of which apply in my case.

Thanks for your help
Jean-Yves

JYA

unread,
Jan 10, 2008, 10:03:44 AM1/10/08
to
Hi

On Jan 11, 12:06 am, JYA <jyaven...@gmail.com> wrote:
> I have found various posts about IMAP and SMTP not finding the SSL
> certificate, even though they are imported and installed from the
> command line and IIS can use it without problems. But the usual
> explanation was that the person was using a wildcard certificate
> (which I'm not) or had put a E=email in the Subject properties of the
> SSL certificate . None of which apply in my case.

Very happy. I finally solved my problem.

As I suspected, the reason was due to Exchange not finding my CA
certificate (even though it is installed).
It seems that Exchange ignore all user installed CA certificates, and
only allows to work with the Microsoft System Provided one.

So what I did was:
I installed my CA as usual.
Then ran regedit. Ran a search to find the thumbprint of my CA
certificate.

Once I found my registry entry for my CA certificate, I exported it.
Then using a text editor I opened the .reg file I had just created and
modified the first line so it would install in the same location as
where Microsoft installs the system one.
For me, I had to change the location into:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
\Certificates\712DE115187E640A479D012AAADA2C58A7915672]

Then I installed this new registry key.

Now when I run the command get-ExchangeCertificate | Fl ; I get:
PublicKeySize : 1024
RootCAType : ThirdParty

0 new messages