Article ID: 948896 - View products that this article applies to.
In a Microsoft Exchange Server 2007 Service Pack 1 environment, you install a certificate that contains wildcard characters in the domain name. Then, you try to enable the certificate for the Post Office Protocol (POP) service or for the Internet Message Access Protocol (IMAP) service by using the following cmdlet.
After you do this, the following event errors are logged when the POP service or the IMAP service is started:
Event Type: Error
Event Type: Error
Event Type: Error
This problem occurs because the Exchange server cannot find a matching certificate when it creates a Transport Layer Security (TLS) session with a client. The Enable-ExchangeCertificate cmdlet automatically configures the X509CertificateName parameter in the POP settings and in the IMAP settings by using the domain name in the certificate. The Exchange server searches for compatible certificates when the Exchange server creates a TLS session with a client. However, the Exchange server cannot find a matching certificate because there is no specific fully qualified domain name (FQDN).
To resolve this problem, download Update Rollup 4 for Exchange 2007 Service Pack 1. For more information about Update Rollup 4 for Exchange Server 2007 Service Pack 1, see the following Exchange Help topic:
Description of Update Rollup 4 for Exchange Server 2007 Service Pack 1For more information about how to obtain the latest Exchange service pack or update rollup, see the following Exchange Help topic:
How to Obtain the Latest Service Pack or Update Rollup for Exchange 2007After you apply this software update, the Enable-ExchangeCertificate cmdlet and the New-ExchangeCertificate cmdlet will not set the X509CertificateNameparameter. The X509CertificateNameparameter is set by removing POP and IMAP as valid values from the -Services parameter.
To help administrators, the cmdlet displays a warning that resembles the following: Additionally, the Set-IMAPSettings cmdlet and the X509CertificateName parameter for the Set-POPSetings cmdlet do not accept wildcard characters.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
A wildcard character domain name is a special kind of domain name that represents multiple sub-domains. Wildcard character domain names can be simplify certificates because a single wildcard domain name represents all the sub-domains for that domain. Wildcard character domain names are represented by an asterisk character (*) on the DNS node.
For example, *.contoso.com represents contoso.com and all the sub-domains for contoso.com. When you use a wildcard character to create a certificate or to create a certificate request for all accepted domains, you can simplify the request significantly.
For more information about certificate use in Exchange Server 2007, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspxFor more information about Exchange 2007 Client Access and about SSL, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc164344(EXCHG.80).aspxFor more information about how to retrieve the thumbprint of a certificate, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/ms734695.aspxFor more information about domain security in Exchange 2007, visit the following Microsoft Web site:
Article ID: 948896 - Last Review: October 7, 2008 - Revision: 1.1
Contact us for more help
Connect with Answer Desk for expert help.