SYMPTOMS

After configuring an SSL certificate to use, mail clients are not able to access mail services over SSL, and the port configured for SSL accepts non-SSL connections. You may see the 0x8009030e, 0x8009030d or 0x80090331 error codes in the Debug log for a service.

CAUSE

A missing private key for the SSL certificate will prevent it from being able to be used. Usually this problem will display as a 0x8009030e error in the Debug log. Firstly, check that the certificate has a private key. When you import a certificate to the server, by default it does not import the private key, but this is needed for the mail services. To check that a certificate has a private key, from the Start menu or a command prompt, type mmc.exe. In the management console that appears, select the File->Add/Remove Snap-in menu and add the Certificates snap-in for the Computer account. Expand the Personal->Certificates branch to list your certificates and double click the certificate. In the window that appears, under the valid dates, should be the wording "You have a private key that corresponds to this certificate". If you don't see this, you will need to import the certificate again with the private key.

If the private key has been imported, it may be a permissions issue stopping the services acccessing the certificate. When MailEnable is installed, it will run the mail services under the IME_SYSTEM identity. As such, the IME_SYSTEM account requires access to the Windows Certificate Repository in order to allow SSL to function. Normally, selecting the certificate will set the required permissions in the administration program. Permission errors usually present as 0x8009030d error codes in the Debug logs.

If you have SNI enabled on the server make sure that permissions are set for all possible certificates that can be used. It may not be obvious which certificate is trying to be used, as the URL requested may be an alias on a certificate.

RESOLUTION

Instructions for granting the IME_SYSTEM user access to the relevant certificate follow:

For Windows 2008 or later servers:

1. Use the regedit utility to ensure IME_SYSTEM is granted full access to the following branch:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates

2. From the Start menu or a command prompt, type mmc.exe. In the management console that appears, select the File->Add/Remove Snap-in menu and add the Certificates snap-in for the Computer account.

3. Expand the Personal->Certificates branch to list your certificates. Right click the certificate you are going to use and select All Tasks->Manage Private Keys.

4. Give the IME_SYSTEM Windows user full control permissions on the certificate.

For Windows 2000 and Windows 2003 servers:

1. Use the RegEdt32 utility to ensure IME_SYSTEM is granted full access to the following branch:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates

2. Download the following utility from the Microsoft Web Site:

http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-8667-c748e422833f&displaylang=en

3. From the Windows command prompt and navigate to the location of the installed utility.This is usually C:\Program Files\Windows Resource Kits\Tools

4. List the accounts that have access to the private key using the following command:

winhttpcertcfg -l -c LOCAL_MACHINE\My -s {certificate_name}

Example (assuming certificate named example.com):

winhttpcertcfg -l -c LOCAL_MACHINE\My -s example.com

5. To grant access to the IME_SYSTEM account, run the following command:

winhttpcertcfg -g -c LOCAL_MACHINE\My -s {certificate_name} -a IME_SYSTEM

Example (assuming certificate named example.com):

winhttpcertcfg -g -c LOCAL_MACHINE\My -s example.com -a IME_SYSTEM