Link to home
Avatar of philodendrin
philodendrin

asked on

Event ID 12014 - SBS 2008

Hi... I know this question has come up a lot and I have read through the posts, but I'm still confused about whether it should be resolved by creating a self-signed cert., or just running the Fix My Network wizard on the SBS box. In our situation, we are seeing a current cert listed under the Get-ExchangeCertificate command that could potentially be used to resolve the issue if we were to assign the SMTP service to it... but, I still fail to understand why that service would have ever been disassociated with the cert, or why the cert exists with no services assigned to it in the first place.

This office is using a single SBS 2008 Standard server with a GoDaddy SSL cert for remote."company".com. The 12014 event references "servername"."domain".local.

The error is ..."Microsoft Exchange could not find a certificate that contains the domain name Servername.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default ServerName with a FQDN parameter of servername.domain.local."

When we run the Get-ExchangeCertificate command we get back 4 certs... it looks to me like we should just assign the SMTP service to the second cert. But, I wanted to ck. with the experts here to see if that's the correct course of action.


[PS] C:\Windows\system32>get-ExchangeCertificate | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.domain.com, www.remote.domain.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=*******, CN=Go Daddy Secure Certification Au
                     thority, OU=http://certificates.godaddy.com/repository, O=
                     "GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 11/27/2013 3:23:14 PM
NotBefore          : 11/26/2012 4:48:56 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : ************
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=remote.domain.com, OU=Domain Control Validated, O=remot
                     e.domain.com
Thumbprint         : ************
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}

CertificateDomains : {ServerName.Domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Domain-ServerName-CA
NotAfter           : 9/3/2013 7:41:24 AM
NotBefore          : 9/3/2012 7:41:24 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : *************
Services           : None
Status             : Valid
Subject            : CN=ServerName.Domain.local
Thumbprint         : ****************************

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Domain-ServerName-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Domain-ServerName-CA
NotAfter           : 11/26/2015 4:58:40 PM
NotBefore          : 11/26/2010 4:48:41 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : *******************
Services           : None
Status             : Valid
Subject            : CN=Domain-ServerName-CA
Thumbprint         : *************************

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-**************}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-****************
NotAfter           : 10/30/2020 2:20:51 AM
NotBefore          : 11/2/2010 2:20:51 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : **********************
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-************
Thumbprint         : *****************************
ASKER CERTIFIED SOLUTION
Avatar of Kotteeswaran Rajendran
Kotteeswaran Rajendran
Flag of Malaysia image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of philodendrin
philodendrin

ASKER

I've read through everything... but, really this is a simple question. Do I assign the SMTP service to the second cert I listed or do I create a new self-signed cert? Someone here should know. And what happens when it expires in September?

I think it probably depends on the RootCAType. On the ServerName.Domain.Local cert it's listed as type "Registry" ...does it need to be something else to support TLS?