Help and Support

Article ID: 948896 - Last Review: October 7, 2008 - Revision: 1.0

Certificates that contain wildcard characters may not work correctly on an Exchange 2007 Service Pack 1-based server

View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

In a Microsoft Exchange Server 2007 Service Pack 1 environment, you install a certificate that contains wildcard characters in the domain name. Then, you try to enable the certificate for the Post Office Protocol (POP) service or for the Internet Message Access Protocol (IMAP) service by using the following cmdlet.
Enable-ExchangeCertificate –Thumbprint <thumbprint> -Services POP, IMAP
After you do this, the following event errors are logged when the POP service or the IMAP service is started:

Event Type: Error
Event Source: MSExchangePOP3
Event Category: General
Event ID: 2007
Description:
A certificate for the host name "*.contoso.com" could not be found. SSL or TLS encryption cannot be made to the POP3 service.

Event Type: Error
Event Source: MSExchangeIMAP4
Event Category: General
Event ID: 2007
Description:
A certificate for the hostname "*.contoso.com" could not be found. SSL or TLS encryption cannot be made to the IMAP service.

Event Type: Error
Event Source: MSExchangePOP3
Event Category: General
Event ID: 1102
Description:
The POP service failed to connect using SSL or TLS encryption. A valid certificate is not configured to respond to SSL/TLS connections. Check the configured hostname as well as which certificates are installed in the Personal Certificates store of the Computer.

In this case, a POP3 client or an IMAP client cannot use Secure Sockets Layer (SSL) to access the mailbox.
Back to the top

CAUSE

This problem occurs because the Exchange server cannot find a matching certificate when it creates a Transport Layer Security (TLS) session with a client. The Enable-ExchangeCertificate cmdlet automatically configures the X509CertificateName parameter in the POP settings and in the IMAP settings by using the domain name in the certificate. The Exchange server searches for compatible certificates when the Exchange server creates a TLS session with a client. However, the Exchange server cannot find a matching certificate because there is no specific fully qualified domain name (FQDN).
Back to the top

RESOLUTION

To resolve this problem, download Update Rollup 4 for Exchange 2007 Service Pack 1. Then, install Update Rollup 4 on the Exchange server. For more information about Update Rollup 4 for Exchange 2007 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
952580   (http://support.microsoft.com/kb/952580/ ) Description of Update Rollup 4 for Exchange Server 2007 Service Pack 1
After you apply this software update, the Enable-ExchangeCertificate cmdlet and the New-ExchangeCertificate cmdlet will not set the X509CertificateNameparameter. The X509CertificateNameparameter is set by removing POP and IMAP as valid values from the -Services parameter.

To help administrators, the cmdlet displays a warning that resembles the following:
POP3 and/or IMAP4 access might not work since this command does not set the X509CertificateName for the POP3 and IMAP4 services. Please complete the configuration for each service by running "set-POPSettings -X509CertificateName <The FQDN that POP clients will use to connect server>" for the POP3 service and “set-IMAPSettings -X509CertificateName <The FQDN that POP clients will use to connect server>” for the IMAP4 service.
Additionally, the Set-IMAPSettings cmdlet and the X509CertificateName parameter for the Set-POPSetings cmdlet do not accept wildcard characters.
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top

MORE INFORMATION

A wildcard character domain name is a special kind of domain name that represents multiple sub-domains. Wildcard character domain names can be simplify certificates because a single wildcard domain name represents all the sub-domains for that domain. Wildcard character domain names are represented by an asterisk character (*) on the DNS node.

For example, *.contoso.com represents contoso.com and all the sub-domains for contoso.com. When you use a wildcard character to create a certificate or to create a certificate request for all accepted domains, you can simplify the request significantly.
Back to the top

REFERENCES

For more information about certificate use in Exchange Server 2007, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx (http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx)
For more information about Exchange 2007 Client Access and about SSL, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc164344(EXCHG.80).aspx (http://technet.microsoft.com/en-us/library/cc164344(EXCHG.80).aspx)
For more information about how to retrieve the thumbprint of a certificate, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/ms734695.aspx (http://msdn.microsoft.com/en-us/library/ms734695.aspx)
For more information about domain security in Exchange 2007, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/bb266978.aspx (http://technet.microsoft.com/en-us/library/bb266978.aspx)
Back to the top
APPLIES TO
  • Microsoft Exchange Server 2007 Service Pack 1, when used with:
    • Microsoft Exchange Server 2007 Enterprise Edition
    • Microsoft Exchange Server 2007 Standard Edition
Back to the top
Keywords: 
kbbug kbfix kbqfe KB948896
Back to the top

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations

 

Related Support Centers