How to install/replace a SSL/TLS certificate on Microsoft Exchange Server 2013/2016
This tutorial describes how to install or replace a SSL/TLS certificate on a on-premise Microsoft Exchange Server.
Hint: All commands are executed via Exchange Management Shell.
Get a list of all installed and availabe certificates
Display a detailed output of every certificate with the assigned services:
# Get-ExchangeCertificate -Server <YOURHOSTNAME> | FL
AccessRules :
CertificateDomains : {xxyy.com, *.xxyy.com, www.xxyy.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=QuoVadis Global SSL ICA G2, O=QuoVadis Limited, C=BM
NotAfter : 02.07.2021 17:00:00
NotBefore : 02.07.2019 16:50:12
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 15BF8523008F487ED306E74D663711798DDA6483
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=xxyy.com, O=XXYY AG, L=Some Location, S=Zürich, C=CH
Thumbprint : DBC4C763AE0EDD013C6036EB8F2932C4C02622F0
AccessRules :
CertificateDomains : {}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 16.05.2024 13:03:45
NotBefore : 12.06.2019 13:03:45
PublicKeySize : 2048
RootCAType : None
SerialNumber : 3FA3FB76DCECADB34D854E3B57E7B444
Services : SMTP
Status : Valid
Subject : CN=Microsoft Exchange Server Auth Certificate
Thumbprint : 55DD15F0888D72C190275AEA32AF6334FA1692D3
AccessRules :
CertificateDomains : {VM-Exchange1, VM-Exchange1.xxyy.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=VM-Exchange1
NotAfter : 12.06.2024 13:01:20
NotBefore : 12.06.2019 13:01:20
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 2FE1D7B0A226B3BE45B8221489A3C9F1
Services : IIS, SMTP
Status : Valid
Subject : CN=VM-Exchange1
Thumbprint : C39ADE37DE1F1FC600BBC9355649C5F4CE4D91D2
AccessRules :
CertificateDomains : {WMSvc-SHA2-VM-EXCHANGE1}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=WMSvc-SHA2-VM-EXCHANGE1
NotAfter : 09.06.2029 09:19:23
NotBefore : 12.06.2019 09:19:23
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 35E7AED21CBD6D8642C7F5464A6DC0CE
Services : None
Status : Valid
Subject : CN=WMSvc-SHA2-VM-EXCHANGE1
Thumbprint : AB582231D6EE0C8F2CE111F1C73D5BD5BDCDFD37
Display a short list of certificates and output the thumbprint only:
# Get-ExchangeCertificate > C:\temp\ExchangeCertThumbPrint.txt
Import a new certificate into the operating system certificate store
Hint: The certificate you want to import needs to be accessible by the user performing the action via a shared folder (UNC path required).
# Import-ExchangeCertificate -Server <YOURHOSTNAME> -FileName "\\<YOURHOSTNAME>\certs\ExchangeCert.pfx" -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String "YourCertificatePassword" -AsPlainText -Force)
Thumbprint Services Subject
---------- -------- -------
1027DC200E3142D5336C814FD22B0A0C0CF43E99 IP..... CN=*.xxyy.com, O=XXYY AG, L=Some Location, S=Zürich, ...
On Exchange Server 2019 use the following command:
# Import-ExchangeCertificate -Server <YOURHOSTNAME> -FileData ([System.IO.File]::ReadAllBytes('\\<YOURHOSTNAME>\certs\ExchangeCert.pfx')) -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String "YourCertificatePassword" -AsPlainText -Force)
Hint: Save the thumbprint of the new certificate somwhere you have it accessible, you will need the value during the next steps.
Assign the new certificate to the services of Exchange
# Enable-ExchangeCertificate -Thumbprint 1027DC200E3142D5336C814FD22B0A0C0CF43E99 -Services "IIS,SMTP,POP,IMAP"
WARNING: This certificate with thumbprint 1027DC200E3142D5336C814FD22B0A0C0CF43E99 and subject '*.xxyy.com' cannot
used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
Set-POPSettings to set X509CertificateName to the FQDN of the service.
WARNING: This certificate with thumbprint 1027DC200E3142D5336C814FD22B0A0C0CF43E99 and subject '*.xxyy.com' cannot
used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
Confirm
Overwrite the existing default SMTP certificate?
Current certificate: 'DBC4C763AE0EDD013C6036EB8F2932C4C02622F0' (expires 02.07.2021 17:00:00)
Replace it with certificate: '1027DC200E3142D5336C814FD22B0A0C0CF43E99' (expires 24.06.2022 15:23:00)
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): A
List and replace the certificate of the Send Connector and the Receive Connector
# Get-SendConnector | list
AddressSpaces : {SMTP:*;1}
AuthenticationCredential : System.Management.Automation.PSCredential
CloudServicesMailEnabled : False
Comment :
ConnectedDomains : {}
ConnectionInactivityTimeOut : 00:10:00
ConnectorType : Default
DNSRoutingEnabled : False
DomainSecureEnabled : False
Enabled : True
ErrorPolicies : Default
ForceHELO : False
Fqdn :
FrontendProxyEnabled : False
HomeMTA : Microsoft MTA
HomeMtaServerId : VM-EXCHANGE1
Identity : SmartHost Somehosting
IgnoreSTARTTLS : False
IsScopedConnector : False
IsSmtpConnector : True
MaxMessageSize : 35 MB (36,700,160 bytes)
Name : SmartHost Somehosting
Port : 25
ProtocolLoggingLevel : None
Region : NotSpecified
RequireOorg : False
RequireTLS : False
SmartHostAuthMechanism : BasicAuth
SmartHosts : {relay.tux.somehosting-net.ch}
SmartHostsString : relay.tux.somehosting-net.ch
SmtpMaxMessagesPerConnection : 20
SourceIPAddress : 0.0.0.0
SourceRoutingGroup : Exchange Routing Group (DWBGZMFD01QNBJR)
SourceTransportServers : {VM-EXCHANGE1}
TlsAuthLevel :
TlsCertificateName : <I>CN=QuoVadis Global SSL ICA G2, O=QuoVadis Limited, C=BM<S>CN=*.xxyy.com, O=XXYY AG, L=Some Location, S=Zürich, C=CH
TlsDomain :
UseExternalDNSServersEnabled : True
# $cert = Get-ExchangeCertificate -Thumbprint <Thumbprint of the new Exchange certificate>
# $tlscertificate = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
# Set-SendConnector -Identity "SmartHost Somehosting" -TLSCertificateName $tlscertificate
# Get-ReceiveConnector
Identity Bindings Enabled
-------- -------- -------
VM-EXCHANGE1\Default VM-EXCHANGE1 {0.0.0.0:2525, [::]:2525} True
VM-EXCHANGE1\Client Proxy VM-EXCHANGE1 {[::]:465, 0.0.0.0:465} True
VM-EXCHANGE1\Default Frontend VM-EXCHANGE1 25 {[::]:25, 0.0.0.0:25} True
VM-EXCHANGE1\Outbound Proxy Frontend VM-EXCHANGE1 {[::]:717, 0.0.0.0:717} True
VM-EXCHANGE1\Client Frontend VM-EXCHANGE1 {[::]:587, 0.0.0.0:587} True
# Set-ReceiveConnector "VM-Exchange1\Default Frontend VM-EXCHANGE1 25" -TlsCertificateName $tlscertificate
# Set-ReceiveConnector "VM-Exchange1\Outbound Proxy Frontend VM-EXCHANGE1" -TlsCertificateName $tlscertificate
# Set-ReceiveConnector "VM-Exchange1\Client Frontend VM-EXCHANGE1" -TlsCertificateName $tlscertificate
Restart required services
# net stop "Microsoft Exchange Frontend Transport"
# net stop "Microsoft Exchange Transport"
# net stop "Microsoft Exchange Mailbox Transport Delivery"
# net stop "Microsoft Exchange Mailbox Transport Submission"
# net start "Microsoft Exchange Frontend Transport"
# net start "Microsoft Exchange Transport"
# net start "Microsoft Exchange Mailbox Transport Delivery"
# net start "Microsoft Exchange Mailbox Transport Submission"
In case you have POP/IMAP enabled:
# net stop Microsoft Exchange IMAP4
# net stop Microsoft Exchange IMAP4 Backend
# net stop Microsoft Exchange POP3
# net stop Microsoft Exchange POP3 Backend
# net start Microsoft Exchange IMAP4
# net start Microsoft Exchange IMAP4 Backend
# net start Microsoft Exchange POP3
# net start Microsoft Exchange POP3 Backend
Restart IIS in any case
# iisreset
Verify the certificates on your services locally
Verify if all certificates for all send- and receive connectors has been replaced correctly.
# Get-ReceiveConnector | Select Identity,TLSCertificateName | Out-GridView
# Get-SendConnector | Select Identity,TLSCertificateName | Out-GridView
Verify the certificates on your services remotely
Install OpenSSL on a machine of your choice, if you are running Windows have a look at this website.
Hint: The following command are executed via “OpenSSL Command Prompt”.
SMTP service
Verify the correct SSL/TLS certificate has been enabled on your SMTP service on TCP Port 25 or 587.
# openssl s_client -starttls smtp -showcerts -connect mail.xxyy.com:25 -servername mail.xxyy.com
CONNECTED(000000EC)
depth=1 C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = CH, ST = Z\C3\BCrich, L = Some Location, O = XXYY AG, CN = *.xxyy.com
verify return:1
---
Certificate chain
0 s:C = CH, ST = Z\C3\BCrich, L = Some Location, O = XXYY AG, CN = *.xxyy.com
i:C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2
-----BEGIN CERTIFICATE-----
MIIG8zCCBdugAwIBAgIUVu5f7vSfCRIhAb2J8Hc6AqllCxUwDQYJKoZIhvcNAQEL
BQAwTTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxIzAh
BgNVBAMTGlF1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBIEcyMB4XDTIxMDYyNDEzMTMy
MVoXDTIyMDYyNDEzMjMwMFowaDELMAkGA1UEBhMCQ0gxEDAOBgNVBAgMB1rDvHJp
Y2gxEjAQBgNVBAcMCVN0ZWlubWF1cjEbMBkGA1UECgwSVm9uZXNjbyBDb250cm9s
IEFHMRYwFAYDVQQDDA0qLnZvbmVzY28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA0SnOxpZ3cDgkZ4X2AYywbtV8jjivua09BK2hmubNtVCBTILg
7AI8ifYEyNjjWo2AHWspr77IWUzcOo2NASSDwso8zT3ThVMZx14C6p0oMoyfTVzE
3yt41MYp2KbPTSb3KsvpzVWNTIraJ54AllaZvMy1Ev0K7FHgqadPTc+dhC57bBtA
mNqy7JSFTNlqLW0wXrv5lMn3eBjJA6ffykPwQjUBeDu0HHiPSdPUng2YPIuSJJTM
QwSk2LrrV+6IR+EJ3p1pyeJMntgp7v328VjAQSQ+4gOgRG4jmgoKXYbPupzZScIK
HPyxt1Pl3DoPq9xPSm6tKaTiG7TDA2fOeKF9FQIDAQABo4IDrjCCA6owCQYDVR0T
BAIwADAfBgNVHSMEGDAWgBSRGWKtWxenMPvw3jklsb2MubhRJzBzBggrBgEFBQcB
AQRnMGUwNwYIKwYBBQUHMAKGK2h0dHA6Ly90cnVzdC5xdW92YWRpc2dsb2JhbC5j
b20vcXZzc2xnMi5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnF1b3ZhZGlz
Z2xvYmFsLmNvbTAlBgNVHREEHjAcgg0qLnZvbmVzY28uY29tggt2b25lc2NvLmNv
bTBbBgNVHSAEVDBSMEYGDCsGAQQBvlgAAmQBATA2MDQGCCsGAQUFBwIBFihodHRw
Oi8vd3d3LnF1b3ZhZGlzZ2xvYmFsLmNvbS9yZXBvc2l0b3J5MAgGBmeBDAECAjAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwOgYDVR0fBDMwMTAvoC2gK4Yp
aHR0cDovL2NybC5xdW92YWRpc2dsb2JhbC5jb20vcXZzc2xnMi5jcmwwHQYDVR0O
BBYEFDHDJGfAKTQjs7/CdROVyLTZPyNYMA4GA1UdDwEB/wQEAwIFoDCCAfcGCisG
AQQB1nkCBAIEggHnBIIB4wHhAHYAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jw
kGKWBvYAAAF6PjB2EwAABAMARzBFAiEAtXFmojr9NUNi289Yn29hUB+snYrC749T
2Gn64mlgRxQCIHvfKPEnADZovX3VMtsOdo+FfzB2PQwDe5Hf/SlZ5gSeAHUAKXm+
8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF6PjB16gAABAMARjBEAiAg
bbEyktE82841yaCzDGFfYs4guqWG3bwFlTRyoQTLUwIgP4UKMiEbZ6GHaScF+z0m
Zq8tqCTmW13VpwXGVjLJQewAdwBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6od
BxPTDAAAAXo+MHYTAAAEAwBIMEYCIQCaVquPf+jWltFVuezGdQgYGV1TyS3xsEGu
1gqk5nQ0EgIhAKRHmZ+o6pGTlWxZeQxu0HO/sE6FHRcWQ8ZHGYQ2co66AHcARqVV
63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAF6PjB2BwAABAMASDBGAiEA
mDpCTm7RXQfDOoETj326/BG2BUeJXDDsBf4Rr8mH+SYCIQDEx8IM1clNa4s11UeH
ac0z90ycdBe9YDXv71EoFIMMtDANBgkqhkiG9w0BAQsFAAOCAQEAnvt3BIuj1T0D
3YPZs/VyPr6OGEleH7hdVI50nYEewAWOLlG7PuuO2kY+tJ/+c3jpu4+3KCjG4dpY
+R6asMio00KdIgcSSnFCmpO0n1sOaqI4xjmdZ1uBHmgMDTDaHyEi1sq/hYNPlvbq
gC4Xe7VRmZicG20V7Q/FD/xqX3AZxaugGTnOXhXakDKlOP8ZF+w1nN0P4QN7sr5h
+egbvVb0MzMkkhLERxiB9NF9xTFaWartIZLWqt/q/StCPhMPrmhH1GX8cDA/3+r3
YSW+qRAozfeAOvRag3T6Hnez9YRGcqMCRbYvzvB4dR8AQFFK/i5o7j7CZeQIJotn
-----END CERTIFICATE-----
1 s:C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2
i:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2
-----BEGIN CERTIFICATE-----
MIIFpDCCA4ygAwIBAgIUGm7ok8N0lzjhKszHeowKyxZ+rxQwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZ
BgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMjAeFw0yMDA5MjIxOTE1NTlaFw0yMzA2
MDExMzM1MDVaME0xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1p
dGVkMSMwIQYDVQQDExpRdW9WYWRpcyBHbG9iYWwgU1NMIElDQSBHMjCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHhhWmUwI9X+jT+wbho5JmQqYh6zle3
0OS1VMIYfdDDGeipY4D3t9zSGaNasGDZdrQdMlY18WyjnEKhi4ojNZdBewVphCiO
zh5Ni2Ak8bSI/sBQ9sKPrpd0+UCqbvaGs6Tpx190ZRT0Pdy+TqOYZF/jBmzBj7Yf
XJmWxlfCy62UiQ6tvv+4C6W2OPu1R4HUD8oJ8Qo7Eg0cD+GFsBM2w8soffyl+Dc6
pKtARmOClUC7EqyWP0V9953lA34kuJZlYxxdgghBTn9rWoaQw/Lr5Fn0Xgd7fYS3
/zGhmXYvVsuAxIn8Gk+YaeoLZ8H9tUvnDD3lEHzvIsMPxqtd7IgcVaMCAwEAAaOC
AYIwggF+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUGoRivEhMMyUE
1O7Q9gPEGUbRlGswcgYIKwYBBQUHAQEEZjBkMDYGCCsGAQUFBzAChipodHRwOi8v
dHJ1c3QucXVvdmFkaXNnbG9iYWwuY29tL3F2cmNhMi5jcnQwKgYIKwYBBQUHMAGG
Hmh0dHA6Ly9vY3NwLnF1b3ZhZGlzZ2xvYmFsLmNvbTBKBgNVHSAEQzBBMD8GBFUd
IAAwNzA1BggrBgEFBQcCARYpaHR0cHM6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29t
L3JlcG9zaXRvcnkwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDkGA1Ud
HwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwucXVvdmFkaXNnbG9iYWwuY29tL3F2cmNh
Mi5jcmwwHQYDVR0OBBYEFJEZYq1bF6cw+/DeOSWxvYy5uFEnMA4GA1UdDwEB/wQE
AwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAWNELUhzNSHcK+M1HkEDA4ty/O9VC3idO
yrAEm72NKE+iLJ6cjN3ofG2+xFDBR+yExpg+WT/fn/H1mCTQdCkrsDIFe/rqTv9P
B1PSRoH/MnsWdN9uutlgfBXL3EdrdjyJH0s8Fpbbm5JXSnsfl35NO+0Hppe6gBIZ
8njcVIMg7j84f7b8iYm0YuBTW7gPvKfs0wRVRguyH++9g+UDQI6e55aqIF6bKBqB
3WhWnvx2F6hSZhhmJLhHJNtvKjbyjUqO4EI+TJCnM1nnNffVO4PI1BuIc4yPSSSA
HZ9nvKJ4rTfWB8edjON1OLSFM5MBEnZD7Gni79McDlBP/SlnFwOfq2xhmlinaLXe
0QLipUkq5EH4QnUdz6ShtQfSd8QauTtLZdUNRwsuu6z5sQGmJdSjTzF5Wn1Y4/Xp
Cwf63gWQDqj7kXC0VI46TjcrdzQXp3IscYAmBF7mALa0wLuBKy8ZB4wMlRMAY7j8
KSsyg1Sz1rWbq+eap/IATpQoiymHKgwvP8ERSJX6XWFwWvAQjIv+aZu4yh+h+h1O
jVY/VXH/M/lvwf7crVy4n0G+dGROcHQO8sN+MF8/JLXZDQGR7spYYG19Mw849kcb
YcaWEd57LH1jGhuY+IdemBUALfw6V8VIvJfLWGBG+35DjkBiin9kKcTT9ySYu9Pz
-----END CERTIFICATE-----
---
Server certificate
subject=C = CH, ST = Z\C3\BCrich, L = Some Location, O = XXYYl AG, CN = *.xxyy.com
issuer=C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4100 bytes and written 477 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 0B350000FAD6E629970622934B737056D49C44F3CCABCC58E8AA6A5CC26FCD27
Session-ID-ctx:
Master-Key: 8159B578686649D62C61D7FA14FAF6432E654C784414FC19B90CE858C1A682FA
3FD0555028EB68E051835427D4837B1B
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1625123903
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: yes
---
250 XRDST
HTTPS service
Verify the correct SSL/TLS certificate has been enabled on your HTTPS service on TCP Port 443.
# openssl s_client -showcerts -connect mail.xxyy.com:https
CONNECTED(00000150)
depth=1 C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = CH, ST = Z\C3\BCrich, L = Some Location, O = XXYY AG, CN = *.xxyy.com
verify return:1
---
Certificate chain
0 s:C = CH, ST = Z\C3\BCrich, L = Some Location, O = XXYY AG, CN = *.xxyy.com
i:C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2
-----BEGIN CERTIFICATE-----
MIIG8zCCBdugAwIBAgIUVu5f7vSfCRIhAb2J8Hc6AqllCxUwDQYJKoZIhvcNAQEL
BQAwTTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxIzAh
BgNVBAMTGlF1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBIEcyMB4XDTIxMDYyNDEzMTMy
MVoXDTIyMDYyNDEzMjMwMFowaDELMAkGA1UEBhMCQ0gxEDAOBgNVBAgMB1rDvHJp
Y2gxEjAQBgNVBAcMCVN0ZWlubWF1cjEbMBkGA1UECgwSVm9uZXNjbyBDb250cm9s
IEFHMRYwFAYDVQQDDA0qLnZvbmVzY28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA0SnOxpZ3cDgkZ4X2AYywbtV8jjivua09BK2hmubNtVCBTILg
7AI8ifYEyNjjWo2AHWspr77IWUzcOo2NASSDwso8zT3ThVMZx14C6p0oMoyfTVzE
3yt41MYp2KbPTSb3KsvpzVWNTIraJ54AllaZvMy1Ev0K7FHgqadPTc+dhC57bBtA
mNqy7JSFTNlqLW0wXrv5lMn3eBjJA6ffykPwQjUBeDu0HHiPSdPUng2YPIuSJJTM
QwSk2LrrV+6IR+EJ3p1pyeJMntgp7v328VjAQSQ+4gOgRG4jmgoKXYbPupzZScIK
HPyxt1Pl3DoPq9xPSm6tKaTiG7TDA2fOeKF9FQIDAQABo4IDrjCCA6owCQYDVR0T
BAIwADAfBgNVHSMEGDAWgBSRGWKtWxenMPvw3jklsb2MubhRJzBzBggrBgEFBQcB
AQRnMGUwNwYIKwYBBQUHMAKGK2h0dHA6Ly90cnVzdC5xdW92YWRpc2dsb2JhbC5j
b20vcXZzc2xnMi5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnF1b3ZhZGlz
Z2xvYmFsLmNvbTAlBgNVHREEHjAcgg0qLnZvbmVzY28uY29tggt2b25lc2NvLmNv
bTBbBgNVHSAEVDBSMEYGDCsGAQQBvlgAAmQBATA2MDQGCCsGAQUFBwIBFihodHRw
Oi8vd3d3LnF1b3ZhZGlzZ2xvYmFsLmNvbS9yZXBvc2l0b3J5MAgGBmeBDAECAjAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwOgYDVR0fBDMwMTAvoC2gK4Yp
aHR0cDovL2NybC5xdW92YWRpc2dsb2JhbC5jb20vcXZzc2xnMi5jcmwwHQYDVR0O
BBYEFDHDJGfAKTQjs7/CdROVyLTZPyNYMA4GA1UdDwEB/wQEAwIFoDCCAfcGCisG
AQQB1nkCBAIEggHnBIIB4wHhAHYAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jw
kGKWBvYAAAF6PjB2EwAABAMARzBFAiEAtXFmojr9NUNi289Yn29hUB+snYrC749T
2Gn64mlgRxQCIHvfKPEnADZovX3VMtsOdo+FfzB2PQwDe5Hf/SlZ5gSeAHUAKXm+
8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF6PjB16gAABAMARjBEAiAg
bbEyktE82841yaCzDGFfYs4guqWG3bwFlTRyoQTLUwIgP4UKMiEbZ6GHaScF+z0m
Zq8tqCTmW13VpwXGVjLJQewAdwBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6od
BxPTDAAAAXo+MHYTAAAEAwBIMEYCIQCaVquPf+jWltFVuezGdQgYGV1TyS3xsEGu
1gqk5nQ0EgIhAKRHmZ+o6pGTlWxZeQxu0HO/sE6FHRcWQ8ZHGYQ2co66AHcARqVV
63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAF6PjB2BwAABAMASDBGAiEA
mDpCTm7RXQfDOoETj326/BG2BUeJXDDsBf4Rr8mH+SYCIQDEx8IM1clNa4s11UeH
ac0z90ycdBe9YDXv71EoFIMMtDANBgkqhkiG9w0BAQsFAAOCAQEAnvt3BIuj1T0D
3YPZs/VyPr6OGEleH7hdVI50nYEewAWOLlG7PuuO2kY+tJ/+c3jpu4+3KCjG4dpY
+R6asMio00KdIgcSSnFCmpO0n1sOaqI4xjmdZ1uBHmgMDTDaHyEi1sq/hYNPlvbq
gC4Xe7VRmZicG20V7Q/FD/xqX3AZxaugGTnOXhXakDKlOP8ZF+w1nN0P4QN7sr5h
+egbvVb0MzMkkhLERxiB9NF9xTFaWartIZLWqt/q/StCPhMPrmhH1GX8cDA/3+r3
YSW+qRAozfeAOvRag3T6Hnez9YRGcqMCRbYvzvB4dR8AQFFK/i5o7j7CZeQIJotn
-----END CERTIFICATE-----
1 s:C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2
i:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2
-----BEGIN CERTIFICATE-----
MIIFpDCCA4ygAwIBAgIUGm7ok8N0lzjhKszHeowKyxZ+rxQwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZ
BgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMjAeFw0yMDA5MjIxOTE1NTlaFw0yMzA2
MDExMzM1MDVaME0xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1p
dGVkMSMwIQYDVQQDExpRdW9WYWRpcyBHbG9iYWwgU1NMIElDQSBHMjCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHhhWmUwI9X+jT+wbho5JmQqYh6zle3
0OS1VMIYfdDDGeipY4D3t9zSGaNasGDZdrQdMlY18WyjnEKhi4ojNZdBewVphCiO
zh5Ni2Ak8bSI/sBQ9sKPrpd0+UCqbvaGs6Tpx190ZRT0Pdy+TqOYZF/jBmzBj7Yf
XJmWxlfCy62UiQ6tvv+4C6W2OPu1R4HUD8oJ8Qo7Eg0cD+GFsBM2w8soffyl+Dc6
pKtARmOClUC7EqyWP0V9953lA34kuJZlYxxdgghBTn9rWoaQw/Lr5Fn0Xgd7fYS3
/zGhmXYvVsuAxIn8Gk+YaeoLZ8H9tUvnDD3lEHzvIsMPxqtd7IgcVaMCAwEAAaOC
AYIwggF+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUGoRivEhMMyUE
1O7Q9gPEGUbRlGswcgYIKwYBBQUHAQEEZjBkMDYGCCsGAQUFBzAChipodHRwOi8v
dHJ1c3QucXVvdmFkaXNnbG9iYWwuY29tL3F2cmNhMi5jcnQwKgYIKwYBBQUHMAGG
Hmh0dHA6Ly9vY3NwLnF1b3ZhZGlzZ2xvYmFsLmNvbTBKBgNVHSAEQzBBMD8GBFUd
IAAwNzA1BggrBgEFBQcCARYpaHR0cHM6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29t
L3JlcG9zaXRvcnkwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDkGA1Ud
HwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwucXVvdmFkaXNnbG9iYWwuY29tL3F2cmNh
Mi5jcmwwHQYDVR0OBBYEFJEZYq1bF6cw+/DeOSWxvYy5uFEnMA4GA1UdDwEB/wQE
AwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAWNELUhzNSHcK+M1HkEDA4ty/O9VC3idO
yrAEm72NKE+iLJ6cjN3ofG2+xFDBR+yExpg+WT/fn/H1mCTQdCkrsDIFe/rqTv9P
B1PSRoH/MnsWdN9uutlgfBXL3EdrdjyJH0s8Fpbbm5JXSnsfl35NO+0Hppe6gBIZ
8njcVIMg7j84f7b8iYm0YuBTW7gPvKfs0wRVRguyH++9g+UDQI6e55aqIF6bKBqB
3WhWnvx2F6hSZhhmJLhHJNtvKjbyjUqO4EI+TJCnM1nnNffVO4PI1BuIc4yPSSSA
HZ9nvKJ4rTfWB8edjON1OLSFM5MBEnZD7Gni79McDlBP/SlnFwOfq2xhmlinaLXe
0QLipUkq5EH4QnUdz6ShtQfSd8QauTtLZdUNRwsuu6z5sQGmJdSjTzF5Wn1Y4/Xp
Cwf63gWQDqj7kXC0VI46TjcrdzQXp3IscYAmBF7mALa0wLuBKy8ZB4wMlRMAY7j8
KSsyg1Sz1rWbq+eap/IATpQoiymHKgwvP8ERSJX6XWFwWvAQjIv+aZu4yh+h+h1O
jVY/VXH/M/lvwf7crVy4n0G+dGROcHQO8sN+MF8/JLXZDQGR7spYYG19Mw849kcb
YcaWEd57LH1jGhuY+IdemBUALfw6V8VIvJfLWGBG+35DjkBiin9kKcTT9ySYu9Pz
-----END CERTIFICATE-----
---
Server certificate
subject=C = CH, ST = Z\C3\BCrich, L = Some Location, O = XXYY AG, CN = *.xxyy.com
issuer=C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3722 bytes and written 444 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: E10A0000910489F61D90958185B808B796ABFC1D2AB3381E117621ADC83A5824
Session-ID-ctx:
Master-Key: 5ECD152DB1A02AF869DF7AE62440946EF7B136EAD4CA1EC54F9DDC2EBB8610FF
96A901F01CA46D90112B0A6BA60225F7
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1625124467
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: yes
---
Additional services
Find below additional openssl commands to verify additional services
SMTP via SSL using port 465:
# openssl s_client -showcerts -connect mail.example.com:465 -servername mail.example.com
POP3 via SSL using port 995
# openssl s_client -showcerts -connect mail.example.com:995 -servername mail.example.com
IMAP via SSL using port 993
# openssl s_client -showcerts -connect mail.example.com:993 -servername mail.example.com