Event id 12014 - Exchange 2007 - Third party certificate


I have a customer that has an exchange 2007 environment. The event logs has multiple event id 12014. Running the get certificate command resulted in 2 certificates.

The first certificate is a third party one with the certificate domain being the external domain i.e. mail.company.com. SMTP is one of the listed service of this certificate.

The second certificate is a self signed on with the certificate domain being the internal server name, i.e. server.domain.internal. SMTP is listed in the service of this certificate.

I also noticed that the self signed certificate has a status of invalid. The event id itself is complaining about the internal server.

Although I can ignore the error since it is not breaking anything in Exchange, I would like to know if the error can be resolved? Such as enabling the self signed certificate while still using the external certificate? Or looking into adding the internal server to the third party certificate?



Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shreedhar EtteCommented:

Add the internal server to the 3rd party certificate.

Hope this helps,
You can only assign one certificate a time.
You should either use an unique SAN certificate and add the internal names to this SAN,
or try to use the SSL certificate you have as the only onel : for that, you will need to issue commands in order to set the internal and extanl urls of the OAB and  WEBServices virtualdirectory, as mail.domain.com..., and issue Get-CLientAccessserver | Set-ClientAccessServer -AutodiscoverServiceInternalUri https://mail.domain.com/autodiscover/autodiscover.xml.

And delete all other certs :)
Satya PathakLead Technical ConsultantCommented:
NETBIOS name of Exchange: EX-2k7 (example)
#Internal FQDN: EX-2k7.abc.local (example)
#External FQDN (Public name): webmail.abc.com (example) (use nslookup/ping to verify the external FQDN)
#Autodiscover name: autodiscover.abc.com (example)
#SubjectName: cn=webmail.abc.com (example)
Next enable the certificate with Enable-ExchangeCertificate cmdlet. Enable atleast IIS and SMTP.
Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxx -Services POP,IMAP,SMTP,IIS

Next verify certificate has been installed using EMS/IIS Manager or both. (Sometimes you may have to remove the certificate and then install/enable certificate again).

Some important points:

1. If you are creating a self-signed certificate, it is always better to create one that has all the subject alternative names specified above. This will prevent any certificate security warnings related to name mismatch. If you are creating single-name self-signed certificate, you would have to modify internal URIs of multiple virtual directories as explained in KB940726. The other benefit of multiple SANs is avoiding event 12014 and similar events.

2. Autodiscover for non-domain joined machines will work only after record is created in external DNS

3. You will have to install the certificate in the trusted root on client machines else you will receive a certificate warning. On Vista machines, you will have to run IE with elevated privileges to be able to install the certificate when you open OWA.

4. You can use group policy to install the certificate in trusted root (applicable only to domain joined machines). Copy to file the self-signed certificate (ideally in .p7b format) and then edit the default domain policy and import the certificate into "Computer Settings\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities". No user intervention is required once you do this. (Users would have to install the certificate themselves on non-domain joined machines).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

tardissupportAuthor Commented:

Thanks for the answers. My next question is on points assignment. As everyone provided the same answer with differing levels of explanation, I'm not too sure how to allocate the points fairly.


Shreedhar EtteCommented:

Distribute Equally.

tardissupportAuthor Commented:
that's what i thought, thanks for the reply.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.