Exchange 2007 cert error 12014

I have a Windows 2008 server running Exchange 2007.  Recently, our GoDaddy SSL Cert (UCC) was due to expire.  I went through the process to reconfigure the exchange server to use a FDQN instead of the intranet name so I could renew the SSL Cert.  I then renewed the cert, and all was well except for this MSExchangetransport 12014 error in my event logs.  It states:

"Microsoft Exchange couldn't find a certificate that contains the domain name <servername>.<domain>.local in the personal store on the local computer.  Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default <servername> with a FQDN parameter of <servername>.<domain>.local.

This Exchange server has 4 Receive Connectors, the default, one for regular mail of authenticated users, and to more for specific internal IP Addresses that permit what is basically a mail relay.  All 4 connectors show the FQDN as <servername>.<domain>.local.  

Since .local is soon to be unsupported in an SSL certificate, we no longer have the intranet name listed in our UCC cert.  Therefore, the error is correct.

I thought I could simply change the FQDN in my 4 receive connectors, but the Default connector will not permit it.  So I researched and found differing opinions on what, if anything, could be done.  Some folks say you CAN'T change the Default, where others say that disabling the Exchange Server Authentication on the Default will then let you change the FQDN.

Surely someone here has run into this and knows the correct course of action.  

Thanks in advance for the input.
LVL 1
tcampbell_ncAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
The easiest way to resolve this is to just generate an internal self signed certificate.
Run

new-exchangecertificate

no further prompts or switches.
When you are asked to replace the default certificate for SMTP, say yes.
Self signed certificates are fine for SMTP transport, so this will fix the problem for you.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tcampbell_ncAuthor Commented:
If that is the case, why have a UCC Cert to begin with?  I am not sure about replacing our third party UCC Cert with a self signed certificate.
0
Simon Butler (Sembee)ConsultantCommented:
I am only advocating replacing the trusted certificate with a self signed certificate for the SMTP role. Nothing else. The UC certificate is used for web services, client access etc (basically where clients are connecting). You would use a UC so that you can have both mail.example.com and Autodiscover.example.com in the SSL certificate.

Simon.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

tcampbell_ncAuthor Commented:
OK, I ran the "new-exchangecertificate" command.  It generates a new cert, and asks if I want to "overwrite existing default SMTP certificate".  I don't think I want to overwrite the certificate do I?  or does this simply move the SMTP from the default to the new?
0
Simon Butler (Sembee)ConsultantCommented:
That is what you want to do. When you get that prompt say yes.
It only changes the SMTP certificate - your trusted certificate for web services is unaffected.

Simon.
0
tcampbell_ncAuthor Commented:
Just for clarification, when I was prompted to overwrite the default SMTP Certificate, I said no.  I was going to then "enable-exchangecertificate" to turn on SMTP.  when I did a Get-exchangecertificate (no other switches), the short list came up and it showed the new certificate with the SMTP service, as well as the UCC with SMTP service.  I performed the get-exchangecertificate |FL, and the new certificate shows as valid, and it shows that SMTP is it's only service.  

I did not do the "Enable". I am monitoring the event logs and seeing no new Exchange Transport errors. I am thinking that by answering "No" to overwriting, that it created the new cert with SMTP without changing the UCC cert.  Is that a fair statement, and will this cause any problems?
0
tcampbell_ncAuthor Commented:
Let me also say that I have test mail flow in both directions and it seems to be working fine at this time.
0
Simon Butler (Sembee)ConsultantCommented:
All certificates get bound to the SMTP function by default.
You need to replace the default certificate.
Therefore I would remove the one that you have just created and run the command again, this time saying yes. Otherwise you will probably still get errors and warnings in the event logs.

Simon.
0
tcampbell_ncAuthor Commented:
I still have SMTP on the UCC Cert and there have been no errors, so I leave it alone for now.  Thanks for the assist.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.