Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
Exchange
2000.active.directory
2000.admin
2000.announcements
2000.app.conversion
2000.applications
2000.clients
2000.clustering
2000.connectivity
2000.development
2000.documentation
2000.general
2000.information.store
2000.interop
2000.kms
2000.misc
2000.protocols
2000.realtime.collabo.
2000.setup
2000.transport
2000.win2000
admin
application.conversion
applications
clients
clustering
connectivity
design
development
misc
mobility
setup
tools
  
 
date: Fri, 9 May 2008 15:31:02 -0700,    group: microsoft.public.exchange.admin        back       


Using private Certificate Authority for IMAP SSL    
I have an Exchange 2007 Server (Standard, SP1) running on Windows Server 2003 
R2 SP2.  Our organization has its own CA (running on a non-Windows box).  
I've been trying and trying (and trying) to get TLS working with a cert 
signed by our CA, but with no luck.

I imported our CA cert and its CRL using CertUtil -addstore root.  Then I 
used New-Exchange to generate a CSR, and signed that using our CA.  Then I 
imported the signed cert with Import-ExchangeCertificate and used 
Enable-ExchangeCertificate for the IMAP, POP, IIS, and SMTP services.  At 
this point the Cert worked fine for IIS (connecting to the default web site 
with https:// used the CA-signed certificate), but whenever I started the 
IMAP service, in Event viewer I would see an error from MSExchangeIMAP4, 
Event ID 2007: 'A certificate for the hostname 
"servername.domainname.foo.org" could not be found.  SSL or TLS encryption 
cannot be made to the IMAP service.'

In the Exchange Shell,  if I did "Get-ExchangeCertificate | FL *", I'd see 
that the SubjectName looked right, and so did the CertificateDomains list.  
The RootCAType was "Registry" and the Status was "Valid".

Then I thought, OK, maybe our root CA cert needs to be installed with a 
GroupPolicy instead.  I removed the root CA certificate from the registry, 
and placed it in the Default GPO for the domain.  (I don't see how it's 
possible to install the CRL using a GPO, so that's still in the local store). 
 Now the Exchange cert is listed with RootCAType "GroupPolicy", and the 
status is again "Valid."  But still no love: I get the same error message 
when I restart the IMAP service.

Here's the current output of Get-ExchangeCertificate | FL * (with consistent 
obfuscation) :

AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, 
System.Security.AccessControl.CryptoKeyAcces
                       sRule, 
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains   : {servername.domainname.foo.org}
CertificateRequest   :
IisServices          : {IIS://servername/W3SVC/1}
IsSelfSigned         : False
KeyIdentifier        : C87XXXXXXXXXXXXXXXXXXXXXXX35
RootCAType           : GroupPolicy
Services             : IMAP, POP, IIS, SMTP
Status               : Valid
PrivateKeyExportable : True
Archived             : False
Extensions           : {}
FriendlyName         : Microsoft Exchange
IssuerName           : 
System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter             : 5/10/2018 4:33:47 PM
NotBefore            : 5/9/2008 4:33:47 PM
HasPrivateKey        : True
PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
RawData              : {48, 130, 2, ...}
SerialNumber         : 01
SubjectName          : 
System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm   : System.Security.Cryptography.Oid
Thumbprint           : 52DXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version              : 1
Handle               : 493968480
Issuer               : CN=OUR CA, O=OUR Orgname, C=US
Subject              : CN=servername.domainname.foo.org

Any ideas?  Has anybody been able to get this to work, or did you just break 
down and use a commerical certificate authority?

Thanks.
date: Fri, 9 May 2008 15:31:02 -0700   author:   David Eisner

Re: Using private Certificate Authority for IMAP SSL    
>
>Any ideas?  Has anybody been able to get this to work, or did you just break 
>down and use a commerical certificate authority?

Using a 3rd party cert is not breaking down. Its really the only way
to go. 

Now, I dont know if its going to solve your issue, but I would stay
away from self-rolled certs as much possible.


>
>Thanks.
date: Fri, 09 May 2008 18:40:12 -0400   author:   Andy David {MVP}

Re: Using private Certificate Authority for IMAP SSL    
"Andy David  {MVP}" wrote:
> Using a 3rd party cert is not breaking down. Its really the only way
> to go. 

Apologies for the value-laden language. 

Setting aside for the moment the issue of whether self-rolled certs are good 
or bad policy, it should be technically possible to do what I'm attempting, 
right?  Nowhere in the documentation I've been reading does it say IMAP SSL 
will work only with self-signed certs or certs signed by public third-party 
root CAs.

-David
date: Fri, 9 May 2008 16:14:02 -0700   author:   David Eisner

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us