certificate warning/error 12014 & 12023
im receiving the following error on my exchange server:
Source: MSExchangeTransport Category:TransportService EventID: 12014
Microsoft Exchange couldn't find a certificate that contains the domain name mail.mydomain.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Outgoing SMTP Connector with a FQDN parameter
of mail.mydomain.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists,
run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
EventID: 12023
Microsoft Exchange could not load the certificate with thumbprint of 6F198AF9E32927C2F1BBB14490719E6295F262F0 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other
Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate 6F198AF9E32927C2F1BBB14490719E6295F262F0 -Services SMTP to resolve the issue. If the certificate does
not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn
-Services SMTP. Meanwhile, the certificate with thumbprint D2344BAD8249C7156FA960065B308AA7942B3407 is being used.
I dont even see the 6F198.... certificate in the personal store on my exchange server. will this warning go away when i enable my valid certificate as outlined in the support article below, or will i need to do something else to remove this warning?
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
i have followed these directions: http://support.microsoft.com/default.aspx?scid=kb;en-us;555855 but when i execute the command all i see is >> in the shell. am i missing something, did i do something wrong. one thing i noticed is
there's a quotation mark at the beginning of the command and i didnt know if that needed to be there since i dont see a closing quotation mark anywhere. also do i need to put SMTP in quotes as well like the article shows? do i need to restart the server,
or will this change take effect without the need of restarting? if i need to restart can i just stop the services and restart them?
January 23rd, 2011 1:49am
PS] C:\>Get-ExchangeCertificate
Thumbprint Services Subject
---------- -------- -------
C825AF1799092691FBBDE5D74CED00A7CE0C2DD8 IPUWS. CN=mail.domain.com, OU=MS, O=Organization, L=location, S=State...
0E0D0054620D996193621BA7BDDB32E82FCB60D9 IP..S. CN=Servername
Now if you were to look at your Receive Connectors, you will see a Default Receive Connector. This connector should only have an FQDN of blank, server FQDN, or server shortname.
So for example, taking a look at the Default Receive Connector, we can take a look at the FQDN:
[PS] C:\>get-receiveconnector -Server servername | Where-Object {$_.Identity -like "*Default*"} | FL Identity,FQDN
Identity : servername\Default servername
Fqdn : servername
The TLS selection process for Opportunistic TLS means that it try TLS using a certificate that is enabled for the service SMTP and matches the FQDN of the Default Receive Connector. So you'll need a certificate enabled for SMTP that matches the FQDN on
that default Receive Connector. The self-signed certificate is a SAN cert that has both the servername and servername FQDN. If you created a new self-signed certificate, you'll want to make sure you enable it for SMTP.
Get-ExchangeCertificate -thumbprint Thumbprint | Enable-ExchangeCertificate -services SMTP.
Free Windows Admin Tool Kit Click here and download it now
January 23rd, 2011 1:59am
PS] C:\>Get-ExchangeCertificate
Thumbprint Services Subject
---------- -------- -------
C825AF1799092691FBBDE5D74CED00A7CE0C2DD8 IPUWS. CN=mail.domain.com, OU=MS, O=Organization, L=location, S=State...
0E0D0054620D996193621BA7BDDB32E82FCB60D9 IP..S. CN=Servername
Now if you were to look at your Receive Connectors, you will see a Default Receive Connector. This connector should only have an FQDN of blank, server FQDN, or server shortname.
So for example, taking a look at the Default Receive Connector, we can take a look at the FQDN:
[PS] C:\>get-receiveconnector -Server servername | Where-Object {$_.Identity -like "*Default*"} | FL Identity,FQDN
Identity : servername\Default servername
Fqdn : servername
The TLS selection process for Opportunistic TLS means that it try TLS using a certificate that is enabled for the service SMTP and matches the FQDN of the Default Receive Connector. So you'll need a certificate enabled for SMTP that matches the FQDN on
that default Receive Connector. The self-signed certificate is a SAN cert that has both the servername and servername FQDN. If you created a new self-signed certificate, you'll want to make sure you enable it for SMTP.
Get-ExchangeCertificate -thumbprint Thumbprint | Enable-ExchangeCertificate -services SMTP.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
January 23rd, 2011 1:59am
Any update for your issue?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
January 27th, 2011 5:27am