Solved

Event ID 12014 Certificate issue with personal store

Posted on 2014-04-07
8
4,286 Views
Last Modified: 2014-04-15
I'm having issues between two Exchange 2007 SP3 hub transport servers sending/receiving email to each other.  The hub transport server that seems to be having the issue is complaining about certificate in the personal store. This HT server can send and receive email from external mail servers.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      TransportService
Event ID:      12014
Date:            4/7/2014
Time:            12:43:07 PM
User:            N/A
Computer:      EXCH07FNTS2
Description:
Microsoft Exchange could not find a certificate that contains the domain name Exch07FNTS2.neirelocation.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Intra-Organization SMTP Send Connector with a FQDN parameter of Exch07FNTS2.neirelocation.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

However, the certificate is listed in the personal store on the server and it is registered to SMTP.  I've removed all expired and invalid certificates.  Any suggestions?

AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                       em.Security.AccessControl.CryptoKeyAccessRule, System.Se
                       curity.AccessControl.CryptoKeyAccessRule}
CertificateDomains   : {email.neirelo.com, autodiscover.neirelo.com, emaildr.ne
                       irelo.com, exch07fnts2.neirelocation.com, norm.neireloca
                       tion.com}
CertificateRequest   :
IisServices          : {IIS://Exch07FNTS2/W3SVC/1}
IsSelfSigned         : False
KeyIdentifier        : B36E4939EBEABBA0258913F85EC177304F70A525
RootCAType           : ThirdParty
Services             : IMAP, POP, IIS, SMTP
Status               : Valid
PrivateKeyExportable : True
Archived             : False
Extensions           : {System.Security.Cryptography.Oid, System.Security.Crypt
                       ography.Oid, System.Security.Cryptography.Oid, System.Se
                       curity.Cryptography.Oid, System.Security.Cryptography.Oi
                       d, System.Security.Cryptography.Oid, System.Security.Cry
                       ptography.Oid, System.Security.Cryptography.Oid, System.
                       Security.Cryptography.Oid}
FriendlyName         : Microsoft Exchange
IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                       guishedName
NotAfter             : 4/17/2015 6:59:59 PM
NotBefore            : 4/16/2012 7:00:00 PM
HasPrivateKey        : True
PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
RawData              : {48, 130, 6, 31, 48, 130, 5, 7, 160, 3, 2, 1, 2, 2, 17,
                       0...}
SerialNumber         : 00C06DC6134AA8818B6E0EF8338471FE78
SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                       guishedName
SignatureAlgorithm   : System.Security.Cryptography.Oid
Thumbprint           : A5C7C58B56012ADA4333727ACF3127746E99F4A1
Version              : 3
Handle               : 466205968
Issuer               : CN=USERTrust Legacy Secure Server CA, O=The USERTRUST Ne
                       twork, L=Salt Lake City, S=UT, C=US
Subject              : CN=email.neirelo.com, OU=Unified Communications, OU=Issu
                       ed through NEI Global Relocation Company E-PKI Manager,
                       O=NEI Global Relocation, STREET=8701 W Dodge Rd, L=Omaha
                       , S=Nebraska, PostalCode=68114, C=US
0
Comment
Question by:npdodge
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39984236
Pay specific attention to these lines

Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

It may be the connector is not configured with the same fwdn as the certificate or the service does not have access to the private key of the certificate.
0
 

Author Comment

by:npdodge
ID: 39984287
I've already tried this:
Enable-ExchangeCertificate -Services SMTP

As you can see, the certificate is registered for IIS, IMAP, and SMTP.  This is the intra-organization connector.  I didn't see a way to confirm the FQDN for this connector.  The FQDN is correct on all the other connectors and you can see in my output that the domain is listed in the certificate.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39984759
Here is some info on connectors and setting properties
http://technet.microsoft.com/en-us/library/aa998662(v=exchg.141).aspx

When my flight lands I'll test this on my lab servers to repro and resolve.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39988191
For SMTP traffic, I would just create an internal certificate, it will work fine.

new-exchangecertificate

No other commands. When you get the prompt to replace the default certificate, accept.

The reason for doing this is that you cannot put internal server names on external trusted certificates that expire after November 2014. Therefore most platforms will need to run with two certificates - the trusted one for web services etc and an internal one for SMTP traffic.

Exchange needs to use the internal server's name for TLS communication, hence the need for an internal certificate.

Simon.
0
 

Author Comment

by:npdodge
ID: 39989822
How does this affect TLS communication with external SMTP servers?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39989839
You configure the send connector with the same fqdn as your external endpoints.


Also you will be able to use the same SSL certificate since the CN is the same as the external endpoint name.

Info on configuring your connectors (If needed)
http://technet.microsoft.com/en-us/library/bb629503%28v=exchg.141%29.aspx
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39992076
It will have no effect on external TLS communications.

Simon.
0
 

Author Closing Comment

by:npdodge
ID: 40002472
That worked!  Thanks Simon.
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
This video discusses moving either the default database or any database to a new volume.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question