Exchange certificate error
Jgearhart, this means that you have this name on your Send connector and that there is no certificate on Exchange that has a name that matches "mail.gcc-usa.com". Depending on which Exchange version you have, you can run get-exchangecertificate command
in the Exchange Management Shell to see what certificates Exchange is using and what services it applies to:
get-exchangecertificate |ft issuer,services,subject -autosize
What you want to see is if the subject matches 'mail.gcc-usa.com'. If there are no certificates that match that, then you either can get one or remove the name from the send connector. If there is a certificate with that subject name it means
that it is not being applied to the SMTP service. Most places I work for use one certificate and it is used for SMTP and IIS.
JAUCG
March 8th, 2012 7:27pm
the server is running Windows Server 2008 standard. It has the file services and web server role. Really only used for email. I just recently entered the IT field and have had little expierence with Exchange and email in general.
Is there certain information i can look up to help this case?
Thanks for the replies!
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2012 8:34am
jgearhart,
The posts above were to point you in the general direction of how to solve your issue. First, follow Ed's directions and copy the entire event log entry here. Second, follow my post where you need to open up the Exchange Management Shell and run 'get-exchangecertificate
|ft issuer,services,subject -autosize'. Post those results here as well.JAUCG
March 10th, 2012 9:31am
"Microsoft Exchange couldn't find a certificate that contains the domain name mail.gcc-usa.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default with a FQDN parameter of mail.gcc-usa.com.
If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate
-Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key."
This error message appeared in the event logs. I've seen some articles online about how to approach the issue, but I know little about Exchange and don't want to just jump in and change things randomly. Can anyone easily explain what this means
and a safe way to approach it?
Thanks!
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2012 11:10am
Please post the entire event log entry. You can use the handy dandy "Copy to Clipboard" button in the event detail window for that. Also specify the version, service pack and rollup hotfix level of your Exchange server.
Are you trying to secure your SMTP mail? If you don't care about that, you don't have to do anything; SMTP will send without SSL unless you're connecting to a server that requires it, and that would be unusual unless you have some kind of relationship
with that organization. Nobody requires SMTP for "regular" e-mail because what will happen is that they simply won't receive a lot of the e-mail people are trying to send them because many don't support SSL SMTP.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
March 10th, 2012 11:39am
Jgearhart, this means that you have this name on your Send connector and that there is no certificate on Exchange that has a name that matches "mail.gcc-usa.com". Depending on which Exchange version you have, you can run get-exchangecertificate command
in the Exchange Management Shell to see what certificates Exchange is using and what services it applies to:
get-exchangecertificate |ft issuer,services,subject -autosize
What you want to see is if the subject matches 'mail.gcc-usa.com'. If there are no certificates that match that, then you either can get one or remove the name from the send connector. If there is a certificate with that subject name it means
that it is not being applied to the SMTP service. Most places I work for use one certificate and it is used for SMTP and IIS.
JAUCG
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2012 11:42am
We definately need more info on this, since this behaviour can occur if a Receive Connector was created with a respond name that does not exist in the server certificate and TLS is enabled on the connector.
March 10th, 2012 12:06pm
The rest of the log:
Log name: Application
Source: MSExchangeTransport
Event ID: 12014
Level: Error
User: N/A
Logged: 3/8/2012 9:05:55 PM
Task Catergory: Transport Service
Keywords: Classic
Computer: Keller-email.alliance.local
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2012 3:55pm
As for the Exchange shell command here is the output:
WARNING: 2 colums do not fit into the display and were removed.
Issuer
SERIALNUMBER=10688435, CN=Starfield Secure Certification Authority, OU=http:...
CN=alliance.local
CN=Keller-email
CN=Keller-email
CN=Keller-email
March 10th, 2012 4:06pm
As for the Exchange shell command here is the output:
WARNING: 2 colums do not fit into the display and were removed.
Issuer
SERIALNUMBER=10688435, CN=Starfield Secure Certification Authority, OU=http:...
CN=alliance.local
CN=Keller-email
CN=Keller-email
CN=Keller-email
You need to widen the window for the Exchange Management Shell. Click on the upper left hand corner and select Properties. Go to Layout and change the size of the window. Then re-run the command.JAUCG
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2012 4:52pm
Sorry for the delay. Its been busy. I redid the commands with the cmd window maximized.
Issure Services Subject
IMAP, POP, IIS, SMTP CN=mail.gcc-usa.com, OU=Domain Control Validated
SMTP CN=alliance.local
UM, SMTP CN=Keller-email
SMTP CN=Keller-email
March 17th, 2012 8:52am
Let's try a different powershell command. I cannot see how many certificates you have with the text you copied:
get-exchangecertificate |ft serialnumber,services,certificatedomains -autosizeJAUCG
Free Windows Admin Tool Kit Click here and download it now
March 17th, 2012 11:14am
Any updates on this?JAUCG
March 17th, 2012 11:27am
Output of that command:
Serial Number Services CertificateDomains
27950...... IMAP,POP,IIS,SMTP <mail.gcc-usa.com, www...
0A97B...... SMTP, <alliance.local>
18E0C...... SMTP, <Keller-email,
Keller-....
0C039..... UM, SMTP <Keller-email, Keller-...
Note: cmd window is maximized.
Free Windows Admin Tool Kit Click here and download it now
March 17th, 2012 12:15pm
Hi iqearhart,
You may find the official explanation and the related articles in the following links (I assume it is Exchange 2007):
Event: 12014
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12014&EvtSrc=MSExchangeTransport
Event ID 12014 may appear in Exchange 2007 Application Event Log
http://support.microsoft.com/kb/555855
Event-ID 12014 "...could not find a certificate that contains the domain name ...."<//span>
http://social.technet.microsoft.com/Forums/en-US/exchangesvrsecuremessaging/thread/20a7fde2-baf9-4a22-b297-6bde92ebbd2a
Fiona Liao
TechNet Community Support
March 18th, 2012 2:06am