How to Configure Wild Card Certificate in Exchange Server 2013

You may experience certificate warning when using OWA and Outlook after you installed wild card certificate in your exchange organization. There are resolution available if you bing. Examples:

Certificate error message when you start Outlook or create an Outlook profile

SSL/TLS communication problems after you install KB 931125

“The name on the security certificate is invalid or does not match the name of the site”

This certificate with thumbprint 855951C368ECA4FF16AAAA82298E81B3F001BDED and subject ‘*’ cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

This certificate with thumbprint 855951C368ECA4FF16A33D82298E81B3F001BDED and subject ‘*’ cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.

But root cause is not addressed in these articles. You are using wild card certificate * or incorrect certificate SAN in Exchange server. You have to configure autodiscover, owa and oab correctly to address these issues. If you are using incorrect SAN then you have to regenerate CSR, re-issue certificate and reconfigure Exchange certificate in Exchange EAC.

Check DNS record. You must have the following DNS record internally and externally for autodiscover to function correctly

Internal record

If your internal domain is domain.local then you must create a DNS zone with in your DNS server. DNS must be set to round-robin. 10.143.8.x Host (A) 10.143.8.y Host (A) 10.143.8.z CNAME 10.143.8.z CNAME

External Record 203.17.18.x Host A 203.17.18.x MX (lowest priority) 203.17.18.x CNAME 203.17.18.x CNAME

Let’s assume you have imported certificates in Exchange Administration Center. Now go to Exchange EAC>Click Servers>Click Certificates>Select Wild card certificate>Click Edit (Pen)>Services>Select IIS and SMTP>Click Save.

Now Open Exchange Management Shell using run as administrator. Copy the following cmdlets and amend per your domain and run these command.

Step1: Setup OWA

Set-OwaVirtualDirectory –Identity “ServerName\owa (Default Web Site)” –InternalUrl –ExternalURL

Setp2: Setup ActiveSync

Set-ActiveSyncVirtualDirectory –Identity “ServerName\Microsoft-Server-ActiveSync (Default Web Site)” –InternalURL –ExternalURL

Step3: Setup Outlook Anywhere

Set-OutlookAnywhere –Identity “ServerName\Rpc (Default Web Site)” –InternalHostname –ExternalHostName –ExternalClientAuthenticationMethod Basic –IISAuthenticationMethods Basic,NTLM


Set-OutlookAnywhere –Identity “ServerName\Rpc (Default Web Site)” –InternalHostname –ExternalHostName

Set-OutlookAnywhere –Identity “ServerName\Rpc (Default Web Site)” –ExternalClientAuthenticationMethod Basic

Set-OutlookAnywhere –Identity “ServerName\Rpc (Default Web Site)” –IISAuthenticationMethods Basic,NTLM

Step4: Setup Web Services Virtual Directory

Set-WebServicesVirtualDirectory –Identity “ServerName\EWS (Default Web Site)” –InternalURL –ExternalURL -BasicAuthentication $true

Step5: Setup Client Access URL

Set-ClientAccessServer –Identity ServerName –AutoDiscoverServiceInternalUri

OR depending on DNS record

Set-ClientAccessServer –Identity ServerName –AutoDiscoverServiceInternalUri

Step6: Setup ECP URL

Set-EcpVirtualDirectory –Identity “ServerName\ecp (Default Web Site)” –InternalURL –ExternalURL

Step7: Setup OAB

Set-OabVirtualDirectory -Identity “SERVERNAME\OAB (Default Web Site)” -ExternalUrl

Step8: Setup Certificate principal name for outlook

Set-OutlookProvider EXCH -CertPrincipalName msstd:*

Step9: Setup POP and IMAP with FQDN/CNAME of Mail Server

set-POPSettings -X509CertificateName

set-IMAPSettings -X509CertificateName

Now validate your settings. Issue the following cmdlets and checks FQDN and URLs are correct as issued earlier.

Get-WebServicesVirtualDirectory | Select InternalUrl, BasicAuthentication, ExternalUrl, Identity | Format-List

Get-OabVirtualDirectory | Select InternalUrl, ExternalUrl, Identity | Format-List

Get-ActiveSyncVirtualDirectory | Select InternalUrl, ExternalUrl, Identity | Format-List

Get-ClientAccessServer | Select Fqdn, AutoDiscoverServiceInternalUri, Identity | Format-List

Now Recycle App Pool. Open IIS Manager>Expand Application Pool>Select MSExchangeAutoDiscoverAppPool>Right Click and Recycle

Reboot exchange Server or issue iisreset command in exchange server to restart services. I have restarted my server. I will prefer a restart after these modifications.

Client side test.

  • Delete outlook profile
  • Make sure you use autodiscover to configure mail client
  • Do not manually configure outlook
  • Close IE. Reopen OWA and test OWA.

Last but not least update all exchange servers to latest Microsoft Windows Patch, Exchange Service pack and Exchange roll ups.

Replace Common Name (CN) and SAN Certificates with Wild Card Certificate— Step by Step

If you have a Common Name certificate or Subject Alternative Name certificate in Exchange webmail or other website and you would like to change that to wild card certificate to consolidate your certificate uses in wide variety of infrastructure and save money. You can do so safely with a minor downtime with no or little loss of productivity.

Microsoft accept certified SSL provider which are recorded in this url

Here is a guide lines how to accomplish this objective.

Step1: Check Current Exchange SSL Certificate

Open Exchange Management Shell and Issue Get-ExchangeCertificate Command. Record the information for future reference.

Step2: Record Proposed Exchange SSL Wildcard Certificate

  • Common Name: *
  • SAN: N/A
  • Organisation: Your Company
  • Department: ICT
  • City: Perth
  • State: WA
  • Country: Australia
  • Key Size: 2048

Step3: Generate a wildcard certificate request

You can use to generate a certificate command for exchange server.

New-ExchangeCertificate -GenerateRequest -Path c:star_your_company.csr -KeySize 2048 -SubjectName “c=AU, s=Western Australia, l=Perth, o=Your Company, ou=ICT, cn=*” -PrivateKeyExportable $True

Step4: Sign the certificate request and download SSL certificate in PKCS#7 format

For more information, you can go to help file of your certificate provider. But for example I am using rapidSSL. Reference

1. Click

2. Provide the common name, technical contact e-mail address associated with the SSL order,
and the image number generated from the Geotrust User Authentication page.

3. Select Request Access against the correct order ID. An e-mail will be sent to the technical contact e-mail address specified above.

4. Click on the link listed in the e-mail to enter the User Portal Click View Certificate Information. Select the appropriate PKCS#7 or  X.509 format from the drop down menu depending on the server requirements. NOTE: Microsoft IIS users select PKCS#7 format and save the file with .p7b extension.

5. Save the certificate locally and install per the server software. 

Step5: Locate and Disable the Existing CA certificate

Now this step is a disruptive step for webmail. You must do it after hours.

1. Create a Certificate Snap-In in Microsoft Management Console (MMC) by following the steps from this link: SO14292

2. With the MMC and the Certificates snap-in open, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.

3. Locate the following certificate in the MMC: If this certificate is present, it must be disabled. Right click the certificate, Select Properties

4. In the Certificate purposes section, select  Disable all purposes for this certificate
Click OK to close the MMC without saving the console settings.

Step6: Install Certificate

To install a SSL certificate onto Microsoft Exchange, you will need to use the Exchange
Management Shell (EMS). Microsoft reference

1. Copy the SSL certificate file, for example newcert.p7b and save it to C: on your Exchange server.

2. Run the Import-ExchangeCertificate and Enable-ExchangeCertificate commands together. For Example

Import-ExchangeCertificate -Path C:newcert.p7b | Enable-ExchangeCertificate –Services  “SMTP, IMAP, POP, IIS”

3. Verify that your certificate is enabled by running the Get-ExchangeCertificate command.

For Example Get-ExchangeCertificate -DomainName

4. In the Services column, letters SIP and W stand for SMTP, IMAP, POP3 and Web (IIS). If your certificate isn’t properly enabled, you can re-run the Enable-ExchangeCertificate command by pasting the thumbprint of your certificate as the -ThumbPrint argument such as: Enable-ExchangeCertificate -ThumbPrint [paste] -Services ” IIS”

Step7: Configure Outlook settings

Microsoft reference

To use the Exchange Management Shell to configure Autodiscover settings by using the Set-OutlookProvider cmdlet if you are using Exchange 2007.

Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*

To change Outlook 2007 connection settings to resolve a certificate error

1. In Outlook 2007, on the Tools menu, click Account Settings.

2. Select your e-mail address listed under Name, and then click Change.

3. Click More Settings. On the Connection tab, click Exchange Proxy Settings.

4. Select the Connect using SSL only check box.

5. Select the Only connect to proxy servers that have this principal name in their certificate: check box, and then, in the box that follows, enter msstd:*

6. Click OK, and then click OK again.

7. Click Next. Click Finish. Click Close.

8. The new setting will take effect after you exit Outlook and open it again.

Step8: Export Certificate from Exchange in .pfx format

The following Step8 to Step 10 is for Forefront TMG 2010 configuration only. If you are using different method to publish Exchange then you don’t need to follow these steps. Use help file of your firewall/Edge product to configure SSL.

Open Exchange Management Shell, run

Export-ExchangeCertificate -Thumbprint D6AF8C39D409B015A273571AE4AD8F48769C61DB

010e -BinaryEncoded:$true -Path c:certificatesexport.pfx -Password:(Get-Credential).password

Step9: Import certificate in TMG 2010

1.Click Start and select Run and tape mmc
2.Click on the  File menu and select   Add/Remove Snap in
3.Click  Add, select Certificates among the list of   Standalone Snap-in and click   Add
4.Choose   Computer Account and click   Next
5.Choose   Local Computer and click   Finish
6.Close the window and click OK on the upper window
7.Go to Personal then Certificates
8.Right click, choose All tasks then Import
9.A wizard opens. Select the file holding the certificate you want to import.
10.Then validate the choices by default
11.Make sure your certificate appears in the list and that the intermediary and root certificates are in their respective files. If not, place them in the appropriate file and replace existing certificates if needed.

Step10: Replace Certificate in Web Listener

1. click Start Forefront Threat Management Gateway console. The Forefront TMG console starts.

2. In the console tree, expand the name of your Security Server, and then click Firewall Policy.

3. In the results pane, double-click Remote Web Workplace Publishing Rule.

4. In Remote Web Workplace Publishing Rule Properties, click the Listener tab.

5. Select External Web Listener from the list, and then click Properties.

6. In External Web Listener Properties, click the Certificates tab.

7. Select Use a single certificate for this Web listener or Assign a certificate for each IP address, and then click Select Certificate.

8. In the Select Certificate dialog box, click a certificate in the list of available certificates, and then click Select. Click OK twice to close the Properties dialog boxes.

9. To save changes and update the configuration, in the results pane, click Apply.

Step11: Test OWA from external and internal network

On the mobile phone, open browser, type and log in using credential.

Make sure no certificate warning shows on IE.

Use the RapidSSL Installation Checker to verify your certificate.

Relevant References

Request an Internet Server Certificate (IIS 7)

Using wildcard certificates