Exchange 2007 Certificate Error
I keep getting event id 12023 source MSExchange Transport error referencing a certificate that no longer exists every 15 minutes on our Exchange 2007 server. This certificate was for our Exchange 2003 Server. Microsoft Exchange could not load the certificate with thumbprint of E10A391D70125975B03C6538F96065B5390E7044 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate E10A391D70125975B03C6538F96065B5390E7044 -Services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, the certificate with thumbprint 2BC1EED2417162923F1C1DD6D64C69E49130A36D is being used.Checking the Certificate MMC does not show the certificate, Exchange Management Shell Get-Exchangecertificate does not show the certificate. The certificate expired so I created a new one and then removed the certificate in question. But something is still looking for this cert. I had to forcefully remove some components of Exchange 2003 via ADSIedit but I followed the rest of the steps to remove the remaining components. It doesn't seem to be causing any problems thus far (its been about a month since the migration to Exchange 2007). Any thoughts? Thanks
October 14th, 2009 7:19pm

I would do a Get-ExchangeCertificate. You'll get something back such as: [PS] C:\>Get-ExchangeCertificate Thumbprint Services Subject ---------- -------- ------- C825AF1799092691FBBDE5D74CED00A7CE0C2DD8 IPUWS. CN=mail.domain.com, OU=MS, O=Organization, L=location, S=State... 0E0D0054620D996193621BA7BDDB32E82FCB60D9 IP..S. CN=Servername Now if you were to look at your Receive Connectors, you will see a Default Receive Connector. This connector should only have an FQDN of blank, server FQDN, or server shortname. So for example, taking a look at the Default Receive Connector, we can take a look at the FQDN: [PS] C:\>get-receiveconnector -Server servername | Where-Object {$_.Identity -like "*Default*"} | FL Identity,FQDN Identity : servername\Default servername Fqdn : servername The TLS selection process for Opportunistic TLS means that it try TLS using a certificate that is enabled for the service SMTP and matches the FQDN of the Default Receive Connector. So you'll need a certificate enabled for SMTP that matches the FQDN on that default Receive Connector. The self-signed certificate is a SAN cert that has both the servername and servername FQDN. If you created a new self-signed certificate, you'll want to make sure you enable it for SMTP. Get-ExchangeCertificate -thumbprint Thumbprint | Enable-ExchangeCertificate -services SMTP. This command is additive and if you have the certificate enabled for other services, they won't be removed. It will only simply add SMTP as a service the certificate can handle.MVP | MCSE:M | MCITP: Enterprise Messaging Administrator | MCTS: OCS + Voice Specialization | http://www.shudnow.net
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2009 7:35pm

Elan,Thanks for your info. When I checked my default receive connector and did the get-certificates, I noticed that I was missing a cert for servername.domain.com but had one for mail.domain.com and one for just the servername. It then hit me, I don't have the cert I need. I am not sure how many time I have read the message, check certs etc. When I created the new cert for servername.domain.com set it to the default recieve connector and enabled for SMTP services, a message was brought up warning of repalcing the default certicate which which had the thumbprint in question. Since I created the new cert, the message has disappeared. Thanks Again.
October 14th, 2009 10:33pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics