hi, machine running Exchange has main wildcard certificate with SANs defined to cover all the needs. Question 1) machine has more certificates. I've accidently enabled services to them, and now can't remove them. Doing Enable-ExchangeCertificate .. -services None does not remove the service. How do I remove them short of removing certs? Question 2) If there are multiple certificates with service enabled, how does it choose one to use? Question 3) If I want to use wildcard cert with POP/IMAP, I have to do Set-ImapSettings -X509... etc. Once done, however, I still cannot Enable-ExchangeCertificate for POP/IMAP with wildcard cert. Do I need to enable them on some other certificate, or can they be left out? Thanks.

hi, machine running Exchange has main wildcard certificate with SANs defined to cover all the needs. Question 1) machine has more certificates. I've accidently enabled services to them, and now can't remove them. Doing Enable-ExchangeCertificate .. -services None does not remove the service. How do I remove them short of removing certs? Question 2) If there are multiple certificates with service enabled, how does it choose one to use? Question 3) If I want to use wildcard cert with POP/IMAP, I have to do Set-ImapSettings -X509... etc. Once done, however, I still cannot Enable-ExchangeCertificate for POP/IMAP with wildcard cert. Do I need to enable them on some other certificate, or can they be left out? Thanks. Question 1: If you reenable the certificate you using "NONE" under services the certificate should remain and services removed. Enable-ExchangeCertificate -Thumbprint <String> -Services None Question 2: Exchange will utilize the last configured SSL certificate. Question 3: Can you provide an error that you're recieving? Have you restarted the transport services? *** Chris Raschke MCITP:EA | MCITP:EMA | MCSE | MCTS | Security+

Question 1: as i've sed, doing Enable-ExchangeCertificate -Thumbprint .. -Services None does nothing, the service remains configured on that certificate. Question 3: I get this: Warning: This certificate with thumbprint XXX and subject '*.domain.com' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.

Question 1: Have services been restarted? Or the server rebooted? I've seen the settings stick until the services are restarted. Question 3: What SP's and rollups are you running on the server? -CMRChris Raschke MCITP:EA | MCITP:EMA | MCSE | MCTS | Security+

Question 1: Yes, I've even tried rebooting the machine, and they are still there :( Question 3: I think it's RTM..

Hmmmm... I'm not sure what would cause your certificates to retain services. Next logical step would be to remove the certificates, it sounds as though they're not being used anyway. You should upgrade your Exchange installation to the latest version. There is a known issue with certificates and POP/IMAP services. http://support.microsoft.com/kb/948896 Chris Raschke MCITP:EA | MCITP:EMA | MCSE | MCTS | Security+

Hi algkep, Q1: If you installed 3rd party certificate, you cannot remove the service, similar post, please see: Remove Service From a Certificate in Exchange 2007 http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/d29d9628-d17f-40a1-9b47-1d09be0cb3b6 Q3: Exchange 2007 or 2010? If it is Exchange 2010, "Don't use the Enable-ExchangeCertificate cmdlet to enable a wildcard certificate for POP and IMAP services. To enable a wildcard certificate, you must use the Set-ImapSettings or Set-PopSettings cmdlets with the fully qualified domain name (FQDN) of the service." Enable-ExchangeCertificate http://technet.microsoft.com/en-us/library/aa997231.aspx Frank Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, those redundant certificates are being used for other purposes on machine, so I can't just remove them. And POP/IMAP services are assigned to incorrect certificate. From what I understand, in wildcard scenario they shouldn't be assigned to any certificate, just FQDN set with cmdlets, but in my case they are assigned to wrong certificate (which I also can't remove since it's for other uses).

p.s. what do you mean by "3rd party certificates"?

p.s. what do you mean by "3rd party certificates"? Something other than the self signed certificates, and to an extent other than any internal CA or PKI infrastructure you have in your Active Directory. Third partys include Verisign, Thawte, Digicert etc OliverOliver Moazzezi | Exchange MVP, MCSA:M, MCITP:Exchange 2010, BA (Hons) Anim | http://www.exchange2010.com | http://www.cobweb.com | http://twitter.com/OliverMoazzezi

These are generated by AD CA.

Hi algkep, Did you install other applications on the Exchange 2010? As this is a best practice that you should install Exchange server on a dedicated server. And From Technet: "If you don't want to use an existing enabled certificate for Exchange services, you must enable another certificate, and then remove the certificate you don't want to use. " Enable-ExchangeCertificate http://technet.microsoft.com/en-us/library/aa997231(EXCHG.140).aspx Maybe you have to recreate the certificate then delete the wrong ones. Frank Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

We have just bought a brand new Golf GTI Mk6 from a VW dealership under the scrappage scheme. We currently own, and hence are scrapping an L reg Rover sterling. ZetaClear

On Fri, 7 Jan 2011 04:49:23 +0000, gargh bush wrote: >We have just bought a brand new Golf GTI Mk6 from a VW dealership under the scrappage scheme. We currently own, and hence are scrapping an L reg Rover sterling. ZetaClear I guess that falls into the general category of "Exchange", but certainly not Microsoft Exchange Server. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi algkep, How about your question? Any updates?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, first of all, I've just checked, we're on Rollup 5. So I guess we're up to date. Yes, we have other applications on the server (I know this is bad idea, but it is like that for now, we're moving afterwards). That's why these other certificates are present there. So I can't just remove them, and removing just a service from them does not work..