How to Enable Certificate Logging: Exchange 2007 Help

How to Enable Certificate Logging: ...

Collapse All

How to Enable Certificate Logging

Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1

Topic Last Modified: 2007-09-21

This topic explains how to configure Microsoft Exchange Server 2007 to enable certificate logging for Simple Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3), and Internet Message Access Protocol 4rev1 (IMAP4). You can use certificate logging to troubleshoot certificate-related problems.

By default, Exchange 2007 logs certificate activity in the Windows event log.

Important:
Exchange 2007 Service Pack 1 (SP1) includes functionality that will log additional certificate activity for SMTP, IMAP4, and POP3 protocols, in addition to what is logged to the Windows event log. The release to manufacturing (RTM) version of Exchange 2007 does not log additional certificate activity. The procedure explained in this topic is valid only for Exchange 2007 SP1.

You can enable certificate logging to write to a file or to write to the Exchange Management Shell.

Logging to a File

To enable certificate logging to a file, you must update the configuration file for the appropriate component. The following table specifies the configuration file that you must update for each component.

Component	File name	File location	Associated Microsoft Exchange service
POP3	Microsoft.Exchange.Pop3.exe.config	%programfiles%\Microsoft\Exchange Server\ ClientAccess\PopImap	Microsoft Exchange POP3
IMAP4	Microsoft.Exchange.Imap4.exe.config	%programfiles%\Microsoft\Exchange Server\ ClientAccess\PopImap	Microsoft Exchange IMAP4
SMTP	EdgeTransport.exe.config	%programfiles%\Microsoft\Exchange Server\Bin	Microsoft Exchange Transport Service

Changes that are saved to the .config files are applied after the associated Microsoft Exchange service is restarted.

To enable certificate logging, you must update the .config file by using the following XML snippet:

<system.diagnostics>
    <sources>
      <source name="Microsoft.Exchange.Security.Certificate" switchName="Certificate">
        <listeners>
           <add name="Certificates" 
                   type="System.Diagnostics.TextWriterTraceListener" 
                   initializeData= "d:\temp\certificate.log" traceOutputOptions="ThreadId, DateTime"/>
          <remove name="Default"/>
        </listeners>
      </source>
    </sources>
    <switches>
      <add name="Certificate" value="Verbose"/>
    </switches>
    <trace autoflush="true" >
      <listeners>
        <add name="Certificates"/>
      </listeners>
    </trace>
  </system.diagnostics>

You put this XML snippet anywhere between the <configuration> and </configuration> tags in the .config file. You must copy and paste the whole XML snippet into the .config file. If you do not paste the whole XML snippet, certificate logging will not be enabled and the associated Microsoft Exchange service may log errors or otherwise fail.

To change the location of the output log, change the path listed in the initializeData element under the <listeners> tag.

By default, this XML snippet enables verbose certificate logging for the associated component. You can reduce the amount of logging by changing value="Verbose" to value="Informational" under the <switches> tag.

Before You Begin

To perform the procedures in this topic, the account you use must be delegated the following:

Member of the local Administrators group on the computer

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

Procedure

To enable certificate logging to a file for POP3, IMAP4, or SMTP

On the server that is running Microsoft Exchange on which you want to enable certificate logging, open the appropriate .config file in an ASCII Text Editor, such as Notepad. See the table in the "Logging to a File" section of this topic for the location of each .config file.

Copy and paste the following XML snippet anywhere between the <configuration> and </configuration> tags:

<system.diagnostics>
    <sources>
      <source name="Microsoft.Exchange.Security.Certificate" switchName="Certificate">
        <listeners>
           <add name="Certificates" 
                   type="System.Diagnostics.TextWriterTraceListener" 
                   initializeData= "d:\temp\certificate.log" traceOutputOptions="ThreadId, DateTime"/>
          <remove name="Default"/>
        </listeners>
      </source>
    </sources>
    <switches>
      <add name="Certificate" value="Verbose"/>
    </switches>
    <trace autoflush="true" >
      <listeners>
        <add name="Certificates"/>
      </listeners>
    </trace>
  </system.diagnostics>

After you have pasted the XML snippet, save the .config file and close it.
You must restart the associated Microsoft Exchange service before the configuration changes will take effect.

Logging to Write to the Exchange Management Shell

If you enable certificate logging to write to the Exchange Management Shell, you can view certificate activity when you run the following cmdlets:

Unlike when you log to file, where you must update multiple .config files to output logging for POP3, IMAP4, and SMTP, you can enable logging to write to the Exchange Management Shell for all components by creating a Powershell.config file. You must save the Powershell.config file to the same directory from which Powershell.exe is run. Powershell.exe is typically run from one of the following locations:

%WINDOWS%\system32\WindowsPowerShell\v1.0
%WINDOWS%\SysWOW64\WindowsPowerShell\v1.0

Procedure

To enable certificate logging to write to the Exchange Management Shell for POP3, IMAP4, or SMTP

On the Exchange server on which you want to enable certificate logging, open an ASCII Text Editor, such as Notepad.

Copy and paste the following XML snippet into a new text file:

<configuration>
  <system.diagnostics>
    <sources>
      <source name="Microsoft.Exchange.Security.Certificate" switchName="Certificate">
        <listeners>
          <add name="Certificates" type="System.Diagnostics.ConsoleTraceListener"/>
          <remove name="Default"/>
        </listeners>
      </source>
     </sources>
     <switches>
      <add name="Certificate" value="Verbose"/>
     </switches>
     <trace autoflush="true" >
      <listeners>
        <add name="Certificates"/>
      </listeners>
     </trace>
    </system.diagnostics>
</configuration>

Note:
By default, this XML snippet enables verbose certificate logging for the associated component. You can reduce the amount of logging by changing `value="Verbose"` to `value="Informational"` under the `<switches>` tag.

Save the file to the appropriate WindowsPowerShell\v1.0 directory as Powershell.config.
You must restart the Exchange Management Shell before these configuration changes will take effect.

For More Information

For more information, see Certificate Use in Exchange Server 2007.