在Exchange 2010(PowerShell)上为POP/IMAP配置通配符SSL证书
时间:2020-03-21 11:49:29 来源:igfitidea点击:
假定我们已经在Exchange 2010服务器上安装了SSL通配符证书。
在此示例中,我们使用Windows Server 2008 R2 Datacenter x64.
以管理员身份打开Exchange命令行管理程序,并获取可用的SSL证书列表:
[PS]> Get-ExchangeCertificate Thumbprint Services Subject ---------- -------- ------ 1F70359DC0BE9CAD58F965A3C110 ...WS. CN=*.example.com, OU=IT Dep, O=Example Comp... 0F7FF199B11E662621D80700D04F ....S. CN=ExampleDC
当为POP服务启用通配符* .example.com证书时,通常会出现以下错误:
[PS]> Enable-ExchangeCertificate -Thumbprint 1F70359DC0BE9CAD58F965A3C110 -Services POP WARNING: This certificate with thumbprint 1F70359DC0BE9CAD58F965A3C110 and subject '*.example.com' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.
同样适用于IMAP:
[PS]> Enable-ExchangeCertificate -Thumbprint 1F70359DC0BE9CAD58F965A3C110 -Services IMAP WARNING: This certificate with thumbprint 1F70359DC0BE9CAD58F965A3C110 and subject '*.example.com' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
设置POP服务的FQDN以修复错误:
[PS]> Set-POPSettings -X509CertificateName exchange2010.example.com
对IMAP服务执行相同的操作:
[PS]> Set-IMAPSettings -X509CertificateName exchange2010.example.com
验证POP设置:
[PS]> Get-POPSettings UnencryptedOrTLSBindings SSLBindings LoginType X509CertificateName ------------------------ ----------- --------- ------------------ {:::110, 0.0.0.0:110} {:::995, 0.0.0.0:995} SecureLogin exchange2010.example...
验证IMAP设置:
[PS]> Get-IMAPSettings UnencryptedOrTLSBindings SSLBindings LoginType X509CertificateName ------------------------ ----------- --------- ------------------ {:::143, 0.0.0.0:143} {:::993, 0.0.0.0:993} SecureLogin exchange2010.example...
重新启动POP和IMAP服务:
[PS]> Restart-service MSExchangePOP3 [PS]> Restart-service MSExchangeIMAP4