SSL does not function when selecting an SSL certificate


SYMPTOMS

After configuring an SSL certificate to use, mail clients are not able to access mail services over SSL, and the port configured for SSL accepts non-SSL connections.

CAUSE

When MailEnable is installed to various mail service accounts are changed to run under the IME_SYSTEM identity. As such, the IME_SYSTEM account requires access to the Windows Certificate Repository in order to allow SSL to function.

RESOLUTION

Instructions for granting the IME_SYSTEM user access to the relevant certificate follow:

 

For Windows 2008 or later servers:

1. Use the regedit utility to ensure IME_SYSTEM is granted full access to the following branch:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates

2. From the Start menu or a command prompt, type mmc.exe. In the management console that appears, select the File->Add/Remove Snap-in menu and add the Certificates snap-in for the Local Computer account.

3. Expand the Personal->Certificates branch to list your certificates. Right click the certificate you are going to use and select All Tasks->Manage Private Keys.

4. Give the IME_SYSTEM Windows user full control permissions on the certificate.

 

For Windows 2000 and Windows 2003 servers:

1. Use the RegEdt32 utility to ensure IME_SYSTEM is granted full access to the following branch:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates

2. Download the following utility from the Microsoft Web Site:

http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-8667-c748e422833f&displaylang=en

3. From the Windows command prompt and navigate to the location of the installed utility.This is usually C:\Program Files\Windows Resource Kits\Tools

4. List the accounts that have access to the private key using the following command:

winhttpcertcfg -l -c LOCAL_MACHINE\My -s {certificate_name}

Example (assuming certificate named MailEnable):

winhttpcertcfg -l -c LOCAL_MACHINE\My -s MailEnable

5. To grant access to the IME_SYSTEM account, run the following command:

winhttpcertcfg -g -c LOCAL_MACHINE\My -s {certificate_name} -a IME_SYSTEM

Example (assuming certificate named MailEnable):

winhttpcertcfg -g -c LOCAL_MACHINE\My -s MailEnable -a IME_SYSTEM



Product:MailEnable (Pro-Any Ent-Any)
Category:Configuration
Article:ME020479
Module:General
Keywords:ssl,lockdown,lock,down,utility,clients,access,secure,sockets,layer,IME_SYSTEM
Class:PRB: Product Problem or Issue
Revised:Wednesday, May 4, 2016
Author:
Publisher:MailEnable