I have an Exchange 2007 Server (Standard, SP1) running on Windows Server 2003
R2 SP2. Our organization has its own CA (running on a non-Windows box).
I've been trying and trying (and trying) to get TLS working with a cert
signed by our CA, but with no luck.
I imported our CA cert and its CRL using CertUtil -addstore root. Then I
used New-Exchange to generate a CSR, and signed that using our CA. Then I
imported the signed cert with Import-ExchangeCertificate and used
Enable-ExchangeCertificate for the IMAP, POP, IIS, and SMTP services. At
this point the Cert worked fine for IIS (connecting to the default web site
with https:// used the CA-signed certificate), but whenever I started the
IMAP service, in Event viewer I would see an error from MSExchangeIMAP4,
Event ID 2007: 'A certificate for the hostname
"servername.domainname.foo.org" could not be found. SSL or TLS encryption
cannot be made to the IMAP service.'
In the Exchange Shell, if I did "Get-ExchangeCertificate | FL *", I'd see
that the SubjectName looked right, and so did the CertificateDomains list.
The RootCAType was "Registry" and the Status was "Valid".
Then I thought, OK, maybe our root CA cert needs to be installed with a
GroupPolicy instead. I removed the root CA certificate from the registry,
and placed it in the Default GPO for the domain. (I don't see how it's
possible to install the CRL using a GPO, so that's still in the local store).
Now the Exchange cert is listed with RootCAType "GroupPolicy", and the
status is again "Valid." But still no love: I get the same error message
when I restart the IMAP service.
Here's the current output of Get-ExchangeCertificate | FL * (with consistent
obfuscation) :
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAcces
sRule,
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {servername.domainname.foo.org}
CertificateRequest :
IisServices : {IIS://servername/W3SVC/1}
IsSelfSigned : False
KeyIdentifier : C87XXXXXXXXXXXXXXXXXXXXXXX35
RootCAType : GroupPolicy
Services : IMAP, POP, IIS, SMTP
Status : Valid
PrivateKeyExportable : True
Archived : False
Extensions : {}
FriendlyName : Microsoft Exchange
IssuerName :
System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 5/10/2018 4:33:47 PM
NotBefore : 5/9/2008 4:33:47 PM
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 2, ...}
SerialNumber : 01
SubjectName :
System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : 52DXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version : 1
Handle : 493968480
Issuer : CN=OUR CA, O=OUR Orgname, C=US
Subject : CN=servername.domainname.foo.org
Any ideas? Has anybody been able to get this to work, or did you just break
down and use a commerical certificate authority?
Thanks.