Certificate in Exchange 2010 on SBS2011

Posted on 2014-08-14
Last Modified: 2014-08-20

I have started to get the below error a few days ago.  I'm not shy, but I'm guessing something in a patch.

12014 MSEXCHANGE transport

Microsoft Exchange could not find a certificate that contains the domain name in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector default smtp with a FQDN parameter of If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Our layout is that we have an antispam server in front of the SBS server and exchange.

Currently the mx record points to that, I'm calling it  So there is in fact no cert with that name on it.  

Can I do a self signed cert or do i need to get a commercial one?  Do I just get one with the name in it?

Question by:mcioffi209
    LVL 28

    Expert Comment

    You create a self-signed cert and run the Enable-ExchangeCertificate -Services SMTP for that cert.
    LVL 28

    Accepted Solution

    Here are the steps on creating the new self signed cert

    New-ExchangeCertificate -GenerateRequest -SubjectName "c=US, o=Woodgrove Bank," -DomainName, -PrivateKeyExportable $true

    Change the values to suit your scenario
    LVL 63

    Expert Comment

    by:Simon Butler (Sembee)
    Have you set the FQDN in Exchange anywhere to match that host name? The fact that you have a filtering appliance in front shouldn't affect SBS in anyway.

    What that would mean is there would be three host names involved:

    As for certificate choice - ideally you should have a trusted certificate in place for the web services on Exchange and SBS.

    LVL 28

    Expert Comment

    I would suggest verifying the values before making any changes.

    Get-ExchangeCertificate | FL *

    Get-ReceiveConnector | FL name, fqdn, objectClass

    Get-SendConnector | FL name, fqdn, objectClass

    Author Comment

    Thanks for the suggestions.  I will look at this more tonight and get back to this.

    Author Closing Comment

    Thanks this helped a lot.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Create high volume marketing opportunities using email signatures with these top 10 DOs and DON'Ts of email signature marketing.
    Easy CSR creation in Exchange 2007,2010 and 2013
    In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
    To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now