Certificates that contain wildcard characters may not work correctly on an Exchange 2007 Service Pack 1-based server

Article translations Article translations
Article ID: 948896 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

In a Microsoft Exchange Server 2007 Service Pack 1 environment, you install a certificate that contains wildcard characters in the domain name. Then, you try to enable the certificate for the Post Office Protocol (POP) service or for the Internet Message Access Protocol (IMAP) service by using the following cmdlet.
Enable-ExchangeCertificate –Thumbprint <thumbprint> -Services POP, IMAP
After you do this, the following event errors are logged when the POP service or the IMAP service is started:

Event Type: Error
Event Source: MSExchangePOP3
Event Category: General
Event ID: 2007
Description:
A certificate for the host name "*.contoso.com" could not be found. SSL or TLS encryption cannot be made to the POP3 service.

Event Type: Error
Event Source: MSExchangeIMAP4
Event Category: General
Event ID: 2007
Description:
A certificate for the hostname "*.contoso.com" could not be found. SSL or TLS encryption cannot be made to the IMAP service.

Event Type: Error
Event Source: MSExchangePOP3
Event Category: General
Event ID: 1102
Description:
The POP service failed to connect using SSL or TLS encryption. A valid certificate is not configured to respond to SSL/TLS connections. Check the configured hostname as well as which certificates are installed in the Personal Certificates store of the Computer.

In this case, a POP3 client or an IMAP client cannot use Secure Sockets Layer (SSL) to access the mailbox.

CAUSE

This problem occurs because the Exchange server cannot find a matching certificate when it creates a Transport Layer Security (TLS) session with a client. The Enable-ExchangeCertificate cmdlet automatically configures the X509CertificateName parameter in the POP settings and in the IMAP settings by using the domain name in the certificate. The Exchange server searches for compatible certificates when the Exchange server creates a TLS session with a client. However, the Exchange server cannot find a matching certificate because there is no specific fully qualified domain name (FQDN).

RESOLUTION

To resolve this problem, download Update Rollup 4 for Exchange 2007 Service Pack 1. For more information about Update Rollup 4 for Exchange Server 2007 Service Pack 1, see the following Exchange Help topic:
Description of Update Rollup 4 for Exchange Server 2007 Service Pack 1
For more information about how to obtain the latest Exchange service pack or update rollup, see the following Exchange Help topic:
How to Obtain the Latest Service Pack or Update Rollup for Exchange 2007
After you apply this software update, the Enable-ExchangeCertificate cmdlet and the New-ExchangeCertificate cmdlet will not set the X509CertificateNameparameter. The X509CertificateNameparameter is set by removing POP and IMAP as valid values from the -Services parameter.

To help administrators, the cmdlet displays a warning that resembles the following:
POP3 and/or IMAP4 access might not work since this command does not set the X509CertificateName for the POP3 and IMAP4 services. Please complete the configuration for each service by running "set-POPSettings -X509CertificateName <The FQDN that POP clients will use to connect server>" for the POP3 service and “set-IMAPSettings -X509CertificateName <The FQDN that POP clients will use to connect server>” for the IMAP4 service.
Additionally, the Set-IMAPSettings cmdlet and the X509CertificateName parameter for the Set-POPSetings cmdlet do not accept wildcard characters.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

A wildcard character domain name is a special kind of domain name that represents multiple sub-domains. Wildcard character domain names can be simplify certificates because a single wildcard domain name represents all the sub-domains for that domain. Wildcard character domain names are represented by an asterisk character (*) on the DNS node.

For example, *.contoso.com represents contoso.com and all the sub-domains for contoso.com. When you use a wildcard character to create a certificate or to create a certificate request for all accepted domains, you can simplify the request significantly.

REFERENCES

For more information about certificate use in Exchange Server 2007, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx
For more information about Exchange 2007 Client Access and about SSL, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc164344(EXCHG.80).aspx
For more information about how to retrieve the thumbprint of a certificate, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/ms734695.aspx
For more information about domain security in Exchange 2007, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/bb266978.aspx

Properties

Article ID: 948896 - Last Review: October 7, 2008 - Revision: 1.1
APPLIES TO
  • Microsoft Exchange Server 2007 Service Pack 1, when used with:
    • Microsoft Exchange Server 2007 Enterprise Edition
    • Microsoft Exchange Server 2007 Standard Edition
Keywords: 
kbbug kbfix kbqfe KB948896

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com