Solved

Microsoft Exchange couldn't find a certificate

Posted on 2011-09-15
5
460 Views
Last Modified: 2012-05-12
I am getting the following error and I am not sure what to do. I believe I need to add another certificate by using the New-ExchangeCertificate. Is this correct? Also, what do I do with the old ones? Do I delete them with Remove-ExchangeCertificate -Thumbprint (and use the numbers here)? I sure would appreciate any help with this. Thanks

This is the error I am getting

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      TransportService
Event ID:      12014
Date:            9/14/2011
Time:            5:54:04 PM
User:            N/A
Computer:      SERVER85
Description:
Microsoft Exchange couldn't find a certificate that contains the domain name server85.armornet.corp in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Internet_mail with a FQDN parameter of server85.domain.corp. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

These are some of the certificates currntly there

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server85, server85.domain.corp}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=server85
NotAfter           : 8/5/2011 11:42:00 AM
NotBefore          : 8/5/2010 11:42:00 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : B03B6CAF0923E08B45FF7424CF61C921
Services           : IMAP, POP, SMTP
Status             : Invalid
Subject            : CN=server85
Thumbprint         : 0A64DDFA18BA99BE285E295A8D05E55BBDDEE884

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.local.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mail.local.com, O=domain corp, C=us
NotAfter           : 8/5/2011 5:40:01 PM
NotBefore          : 8/5/2010 11:40:01 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 4CA1049BC756B29E461133836E1681DD
Services           : None
Status             : Invalid
Subject            : CN=mail.local.com, O=domain.corp, C=us
Thumbprint         : 24C1C48F1582070A9B905AAA43E21551BDC84D92

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.local.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mail.local.com, O=domain corp, C=us
NotAfter           : 8/5/2011 5:35:45 PM
NotBefore          : 8/5/2010 11:35:45 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : F5B453D6C1906E9C4CDF8DDE02338DF1
Services           : None
Status             : Invalid
Subject            : CN=mail.local.com, O=domain corp, C=us
Thumbprint         : DA8C0D9C7BBA0423C876648017A9A020E6B36A67

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.local.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mail.local.com, O=domain corp, C=us
NotAfter           : 8/5/2011 5:34:50 PM
NotBefore          : 8/5/2010 11:34:50 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : A584CD271E5204A145B527A7F40F30C3
Services           : None
Status             : Invalid
Subject            : CN=mail.local.com, O=domain corp, C=us
Thumbprint         : 222E362BA49ADEF09E007C53BE4F097CB34E43BA

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server85, server85.domain.corp}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=server85
NotAfter           : 9/30/2010 10:09:06 AM
NotBefore          : 9/30/2009 10:09:06 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : ADC91D4B2D977BA24B1FBDADEB659A5D
Services           : IMAP, POP, SMTP
Status             : Invalid
Subject            : CN=server85
Thumbprint         : 8BB344D16CCDE5025E2011A29B875DC0908287B3

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server85, server85.domain.corp}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=server85
NotAfter           : 9/30/2010 9:23:04 AM
NotBefore          : 9/30/2009 9:23:04 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 9ABDE0A3DEA224994930E4EAE77A9901
Services           : IMAP, POP, SMTP
Status             : Invalid
Subject            : CN=server85
Thumbprint         : 253AB54E0337BAE9E9B243225B139EBFCA898DAB

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server85, server85.domain.corp}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=server85
NotAfter           : 9/30/2010 9:21:27 AM
NotBefore          : 9/30/2009 9:21:27 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : A35A34F96123309C4945DB827F9D5814
Services           : IMAP, POP, SMTP
Status             : Invalid
Subject            : CN=server85
Thumbprint         : 9108222055721EFA7886AFEB6552CD7E42BBDD5D

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server85, server85.domain.corp}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=server85
NotAfter           : 9/27/2008 12:12:08 PM
NotBefore          : 9/27/2007 12:12:08 PM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 3CEAE373DE9DEE934F75EB708BE5C971
Services           : IMAP, POP, SMTP
Status             : Invalid
Subject            : CN=server85
Thumbprint         : 6C04BD37249A63265CF14DCF678223B2942E3661
0
Comment
Question by:AD_Tech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 36542583
Hello,

Unless you want to use TLS to encrypt email between your organization and a partner that uses TLS, you can ignore this error.

JJ
0
 
LVL 49

Accepted Solution

by:
Akhater earned 250 total points
ID: 36542598
you can ignore it or just run new-exchangecertificate and it will go away
0
 

Author Comment

by:AD_Tech
ID: 36542617
Does it matter if the old ones stay?
0
 
LVL 37

Assisted Solution

by:Jamie McKillop
Jamie McKillop earned 250 total points
ID: 36542666
It doesn't matter if the old ones are there as you can only have one active at a time but it would be a good idea to clean them up. To do so, issue the following command for each ceretificate you want to remove (changing the thumbprint to match the cert):

Remove-ExchangeCertificate -Thumbprint 157700393E5D76615E855A773CFA08AB5842DFB0

You can then open the Certificates MMC and remove the certificate from the Personal store of the server.

JJ
0
 

Author Comment

by:AD_Tech
ID: 36542860
Thanks guys I appreciate the help. I will add the new certificate and remove the old ones just to clean it up. Thanks again
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question