Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Event ID 12014 Certificate issue with personal store

Posted on 2014-04-07
8
Medium Priority
?
4,612 Views
Last Modified: 2014-04-15
I'm having issues between two Exchange 2007 SP3 hub transport servers sending/receiving email to each other.  The hub transport server that seems to be having the issue is complaining about certificate in the personal store. This HT server can send and receive email from external mail servers.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      TransportService
Event ID:      12014
Date:            4/7/2014
Time:            12:43:07 PM
User:            N/A
Computer:      EXCH07FNTS2
Description:
Microsoft Exchange could not find a certificate that contains the domain name Exch07FNTS2.neirelocation.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Intra-Organization SMTP Send Connector with a FQDN parameter of Exch07FNTS2.neirelocation.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

However, the certificate is listed in the personal store on the server and it is registered to SMTP.  I've removed all expired and invalid certificates.  Any suggestions?

AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                       em.Security.AccessControl.CryptoKeyAccessRule, System.Se
                       curity.AccessControl.CryptoKeyAccessRule}
CertificateDomains   : {email.neirelo.com, autodiscover.neirelo.com, emaildr.ne
                       irelo.com, exch07fnts2.neirelocation.com, norm.neireloca
                       tion.com}
CertificateRequest   :
IisServices          : {IIS://Exch07FNTS2/W3SVC/1}
IsSelfSigned         : False
KeyIdentifier        : B36E4939EBEABBA0258913F85EC177304F70A525
RootCAType           : ThirdParty
Services             : IMAP, POP, IIS, SMTP
Status               : Valid
PrivateKeyExportable : True
Archived             : False
Extensions           : {System.Security.Cryptography.Oid, System.Security.Crypt
                       ography.Oid, System.Security.Cryptography.Oid, System.Se
                       curity.Cryptography.Oid, System.Security.Cryptography.Oi
                       d, System.Security.Cryptography.Oid, System.Security.Cry
                       ptography.Oid, System.Security.Cryptography.Oid, System.
                       Security.Cryptography.Oid}
FriendlyName         : Microsoft Exchange
IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                       guishedName
NotAfter             : 4/17/2015 6:59:59 PM
NotBefore            : 4/16/2012 7:00:00 PM
HasPrivateKey        : True
PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
RawData              : {48, 130, 6, 31, 48, 130, 5, 7, 160, 3, 2, 1, 2, 2, 17,
                       0...}
SerialNumber         : 00C06DC6134AA8818B6E0EF8338471FE78
SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                       guishedName
SignatureAlgorithm   : System.Security.Cryptography.Oid
Thumbprint           : A5C7C58B56012ADA4333727ACF3127746E99F4A1
Version              : 3
Handle               : 466205968
Issuer               : CN=USERTrust Legacy Secure Server CA, O=The USERTRUST Ne
                       twork, L=Salt Lake City, S=UT, C=US
Subject              : CN=email.neirelo.com, OU=Unified Communications, OU=Issu
                       ed through NEI Global Relocation Company E-PKI Manager,
                       O=NEI Global Relocation, STREET=8701 W Dodge Rd, L=Omaha
                       , S=Nebraska, PostalCode=68114, C=US
0
Comment
Question by:npdodge
  • 3
  • 3
  • 2
8 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39984236
Pay specific attention to these lines

Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

It may be the connector is not configured with the same fwdn as the certificate or the service does not have access to the private key of the certificate.
0
 

Author Comment

by:npdodge
ID: 39984287
I've already tried this:
Enable-ExchangeCertificate -Services SMTP

As you can see, the certificate is registered for IIS, IMAP, and SMTP.  This is the intra-organization connector.  I didn't see a way to confirm the FQDN for this connector.  The FQDN is correct on all the other connectors and you can see in my output that the domain is listed in the certificate.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39984759
Here is some info on connectors and setting properties
http://technet.microsoft.com/en-us/library/aa998662(v=exchg.141).aspx

When my flight lands I'll test this on my lab servers to repro and resolve.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39988191
For SMTP traffic, I would just create an internal certificate, it will work fine.

new-exchangecertificate

No other commands. When you get the prompt to replace the default certificate, accept.

The reason for doing this is that you cannot put internal server names on external trusted certificates that expire after November 2014. Therefore most platforms will need to run with two certificates - the trusted one for web services etc and an internal one for SMTP traffic.

Exchange needs to use the internal server's name for TLS communication, hence the need for an internal certificate.

Simon.
0
 

Author Comment

by:npdodge
ID: 39989822
How does this affect TLS communication with external SMTP servers?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39989839
You configure the send connector with the same fqdn as your external endpoints.


Also you will be able to use the same SSL certificate since the CN is the same as the external endpoint name.

Info on configuring your connectors (If needed)
http://technet.microsoft.com/en-us/library/bb629503%28v=exchg.141%29.aspx
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39992076
It will have no effect on external TLS communications.

Simon.
0
 

Author Closing Comment

by:npdodge
ID: 40002472
That worked!  Thanks Simon.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question