Solved

Microsoft Exchange couldn't find a certificate

Posted on 2011-09-15
5
453 Views
Last Modified: 2012-05-12
I am getting the following error and I am not sure what to do. I believe I need to add another certificate by using the New-ExchangeCertificate. Is this correct? Also, what do I do with the old ones? Do I delete them with Remove-ExchangeCertificate -Thumbprint (and use the numbers here)? I sure would appreciate any help with this. Thanks

This is the error I am getting

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      TransportService
Event ID:      12014
Date:            9/14/2011
Time:            5:54:04 PM
User:            N/A
Computer:      SERVER85
Description:
Microsoft Exchange couldn't find a certificate that contains the domain name server85.armornet.corp in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Internet_mail with a FQDN parameter of server85.domain.corp. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

These are some of the certificates currntly there

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server85, server85.domain.corp}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=server85
NotAfter           : 8/5/2011 11:42:00 AM
NotBefore          : 8/5/2010 11:42:00 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : B03B6CAF0923E08B45FF7424CF61C921
Services           : IMAP, POP, SMTP
Status             : Invalid
Subject            : CN=server85
Thumbprint         : 0A64DDFA18BA99BE285E295A8D05E55BBDDEE884

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.local.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mail.local.com, O=domain corp, C=us
NotAfter           : 8/5/2011 5:40:01 PM
NotBefore          : 8/5/2010 11:40:01 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 4CA1049BC756B29E461133836E1681DD
Services           : None
Status             : Invalid
Subject            : CN=mail.local.com, O=domain.corp, C=us
Thumbprint         : 24C1C48F1582070A9B905AAA43E21551BDC84D92

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.local.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mail.local.com, O=domain corp, C=us
NotAfter           : 8/5/2011 5:35:45 PM
NotBefore          : 8/5/2010 11:35:45 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : F5B453D6C1906E9C4CDF8DDE02338DF1
Services           : None
Status             : Invalid
Subject            : CN=mail.local.com, O=domain corp, C=us
Thumbprint         : DA8C0D9C7BBA0423C876648017A9A020E6B36A67

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.local.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=mail.local.com, O=domain corp, C=us
NotAfter           : 8/5/2011 5:34:50 PM
NotBefore          : 8/5/2010 11:34:50 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : A584CD271E5204A145B527A7F40F30C3
Services           : None
Status             : Invalid
Subject            : CN=mail.local.com, O=domain corp, C=us
Thumbprint         : 222E362BA49ADEF09E007C53BE4F097CB34E43BA

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server85, server85.domain.corp}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=server85
NotAfter           : 9/30/2010 10:09:06 AM
NotBefore          : 9/30/2009 10:09:06 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : ADC91D4B2D977BA24B1FBDADEB659A5D
Services           : IMAP, POP, SMTP
Status             : Invalid
Subject            : CN=server85
Thumbprint         : 8BB344D16CCDE5025E2011A29B875DC0908287B3

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server85, server85.domain.corp}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=server85
NotAfter           : 9/30/2010 9:23:04 AM
NotBefore          : 9/30/2009 9:23:04 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 9ABDE0A3DEA224994930E4EAE77A9901
Services           : IMAP, POP, SMTP
Status             : Invalid
Subject            : CN=server85
Thumbprint         : 253AB54E0337BAE9E9B243225B139EBFCA898DAB

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server85, server85.domain.corp}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=server85
NotAfter           : 9/30/2010 9:21:27 AM
NotBefore          : 9/30/2009 9:21:27 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : A35A34F96123309C4945DB827F9D5814
Services           : IMAP, POP, SMTP
Status             : Invalid
Subject            : CN=server85
Thumbprint         : 9108222055721EFA7886AFEB6552CD7E42BBDD5D

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server85, server85.domain.corp}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=server85
NotAfter           : 9/27/2008 12:12:08 PM
NotBefore          : 9/27/2007 12:12:08 PM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 3CEAE373DE9DEE934F75EB708BE5C971
Services           : IMAP, POP, SMTP
Status             : Invalid
Subject            : CN=server85
Thumbprint         : 6C04BD37249A63265CF14DCF678223B2942E3661
0
Comment
Question by:AD_Tech
  • 2
  • 2
5 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
Comment Utility
Hello,

Unless you want to use TLS to encrypt email between your organization and a partner that uses TLS, you can ignore this error.

JJ
0
 
LVL 49

Accepted Solution

by:
Akhater earned 250 total points
Comment Utility
you can ignore it or just run new-exchangecertificate and it will go away
0
 

Author Comment

by:AD_Tech
Comment Utility
Does it matter if the old ones stay?
0
 
LVL 37

Assisted Solution

by:Jamie McKillop
Jamie McKillop earned 250 total points
Comment Utility
It doesn't matter if the old ones are there as you can only have one active at a time but it would be a good idea to clean them up. To do so, issue the following command for each ceretificate you want to remove (changing the thumbprint to match the cert):

Remove-ExchangeCertificate -Thumbprint 157700393E5D76615E855A773CFA08AB5842DFB0

You can then open the Certificates MMC and remove the certificate from the Personal store of the server.

JJ
0
 

Author Comment

by:AD_Tech
Comment Utility
Thanks guys I appreciate the help. I will add the new certificate and remove the old ones just to clean it up. Thanks again
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now