Event ID 12014 Certificate issue with personal store

I'm having issues between two Exchange 2007 SP3 hub transport servers sending/receiving email to each other.  The hub transport server that seems to be having the issue is complaining about certificate in the personal store. This HT server can send and receive email from external mail servers.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      TransportService
Event ID:      12014
Date:            4/7/2014
Time:            12:43:07 PM
User:            N/A
Computer:      EXCH07FNTS2
Description:
Microsoft Exchange could not find a certificate that contains the domain name Exch07FNTS2.neirelocation.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Intra-Organization SMTP Send Connector with a FQDN parameter of Exch07FNTS2.neirelocation.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

However, the certificate is listed in the personal store on the server and it is registered to SMTP.  I've removed all expired and invalid certificates.  Any suggestions?

AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                       em.Security.AccessControl.CryptoKeyAccessRule, System.Se
                       curity.AccessControl.CryptoKeyAccessRule}
CertificateDomains   : {email.neirelo.com, autodiscover.neirelo.com, emaildr.ne
                       irelo.com, exch07fnts2.neirelocation.com, norm.neireloca
                       tion.com}
CertificateRequest   :
IisServices          : {IIS://Exch07FNTS2/W3SVC/1}
IsSelfSigned         : False
KeyIdentifier        : B36E4939EBEABBA0258913F85EC177304F70A525
RootCAType           : ThirdParty
Services             : IMAP, POP, IIS, SMTP
Status               : Valid
PrivateKeyExportable : True
Archived             : False
Extensions           : {System.Security.Cryptography.Oid, System.Security.Crypt
                       ography.Oid, System.Security.Cryptography.Oid, System.Se
                       curity.Cryptography.Oid, System.Security.Cryptography.Oi
                       d, System.Security.Cryptography.Oid, System.Security.Cry
                       ptography.Oid, System.Security.Cryptography.Oid, System.
                       Security.Cryptography.Oid}
FriendlyName         : Microsoft Exchange
IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                       guishedName
NotAfter             : 4/17/2015 6:59:59 PM
NotBefore            : 4/16/2012 7:00:00 PM
HasPrivateKey        : True
PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
RawData              : {48, 130, 6, 31, 48, 130, 5, 7, 160, 3, 2, 1, 2, 2, 17,
                       0...}
SerialNumber         : 00C06DC6134AA8818B6E0EF8338471FE78
SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                       guishedName
SignatureAlgorithm   : System.Security.Cryptography.Oid
Thumbprint           : A5C7C58B56012ADA4333727ACF3127746E99F4A1
Version              : 3
Handle               : 466205968
Issuer               : CN=USERTrust Legacy Secure Server CA, O=The USERTRUST Ne
                       twork, L=Salt Lake City, S=UT, C=US
Subject              : CN=email.neirelo.com, OU=Unified Communications, OU=Issu
                       ed through NEI Global Relocation Company E-PKI Manager,
                       O=NEI Global Relocation, STREET=8701 W Dodge Rd, L=Omaha
                       , S=Nebraska, PostalCode=68114, C=US
npdodgeAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
For SMTP traffic, I would just create an internal certificate, it will work fine.

new-exchangecertificate

No other commands. When you get the prompt to replace the default certificate, accept.

The reason for doing this is that you cannot put internal server names on external trusted certificates that expire after November 2014. Therefore most platforms will need to run with two certificates - the trusted one for web services etc and an internal one for SMTP traffic.

Exchange needs to use the internal server's name for TLS communication, hence the need for an internal certificate.

Simon.
0
 
becraigCommented:
Pay specific attention to these lines

Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

It may be the connector is not configured with the same fwdn as the certificate or the service does not have access to the private key of the certificate.
0
 
npdodgeAuthor Commented:
I've already tried this:
Enable-ExchangeCertificate -Services SMTP

As you can see, the certificate is registered for IIS, IMAP, and SMTP.  This is the intra-organization connector.  I didn't see a way to confirm the FQDN for this connector.  The FQDN is correct on all the other connectors and you can see in my output that the domain is listed in the certificate.
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
becraigCommented:
Here is some info on connectors and setting properties
http://technet.microsoft.com/en-us/library/aa998662(v=exchg.141).aspx

When my flight lands I'll test this on my lab servers to repro and resolve.
0
 
npdodgeAuthor Commented:
How does this affect TLS communication with external SMTP servers?
0
 
becraigCommented:
You configure the send connector with the same fqdn as your external endpoints.


Also you will be able to use the same SSL certificate since the CN is the same as the external endpoint name.

Info on configuring your connectors (If needed)
http://technet.microsoft.com/en-us/library/bb629503%28v=exchg.141%29.aspx
0
 
Simon Butler (Sembee)ConsultantCommented:
It will have no effect on external TLS communications.

Simon.
0
 
npdodgeAuthor Commented:
That worked!  Thanks Simon.
0
All Courses

From novice to tech pro — start learning today.