Exchange 2007 cert error 12014

I have a Windows 2008 server running Exchange 2007.  Recently, our GoDaddy SSL Cert (UCC) was due to expire.  I went through the process to reconfigure the exchange server to use a FDQN instead of the intranet name so I could renew the SSL Cert.  I then renewed the cert, and all was well except for this MSExchangetransport 12014 error in my event logs.  It states:

"Microsoft Exchange couldn't find a certificate that contains the domain name <servername>.<domain>.local in the personal store on the local computer.  Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default <servername> with a FQDN parameter of <servername>.<domain>.local.

This Exchange server has 4 Receive Connectors, the default, one for regular mail of authenticated users, and to more for specific internal IP Addresses that permit what is basically a mail relay.  All 4 connectors show the FQDN as <servername>.<domain>.local.  

Since .local is soon to be unsupported in an SSL certificate, we no longer have the intranet name listed in our UCC cert.  Therefore, the error is correct.

I thought I could simply change the FQDN in my 4 receive connectors, but the Default connector will not permit it.  So I researched and found differing opinions on what, if anything, could be done.  Some folks say you CAN'T change the Default, where others say that disabling the Exchange Server Authentication on the Default will then let you change the FQDN.

Surely someone here has run into this and knows the correct course of action.  

Thanks in advance for the input.
LVL 1
tcampbell_ncAsked:
Who is Participating?
 
Simon Butler (Sembee)ConsultantCommented:
The easiest way to resolve this is to just generate an internal self signed certificate.
Run

new-exchangecertificate

no further prompts or switches.
When you are asked to replace the default certificate for SMTP, say yes.
Self signed certificates are fine for SMTP transport, so this will fix the problem for you.

Simon.
0
 
tcampbell_ncAuthor Commented:
If that is the case, why have a UCC Cert to begin with?  I am not sure about replacing our third party UCC Cert with a self signed certificate.
0
 
Simon Butler (Sembee)ConsultantCommented:
I am only advocating replacing the trusted certificate with a self signed certificate for the SMTP role. Nothing else. The UC certificate is used for web services, client access etc (basically where clients are connecting). You would use a UC so that you can have both mail.example.com and Autodiscover.example.com in the SSL certificate.

Simon.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
tcampbell_ncAuthor Commented:
OK, I ran the "new-exchangecertificate" command.  It generates a new cert, and asks if I want to "overwrite existing default SMTP certificate".  I don't think I want to overwrite the certificate do I?  or does this simply move the SMTP from the default to the new?
0
 
Simon Butler (Sembee)ConsultantCommented:
That is what you want to do. When you get that prompt say yes.
It only changes the SMTP certificate - your trusted certificate for web services is unaffected.

Simon.
0
 
tcampbell_ncAuthor Commented:
Just for clarification, when I was prompted to overwrite the default SMTP Certificate, I said no.  I was going to then "enable-exchangecertificate" to turn on SMTP.  when I did a Get-exchangecertificate (no other switches), the short list came up and it showed the new certificate with the SMTP service, as well as the UCC with SMTP service.  I performed the get-exchangecertificate |FL, and the new certificate shows as valid, and it shows that SMTP is it's only service.  

I did not do the "Enable". I am monitoring the event logs and seeing no new Exchange Transport errors. I am thinking that by answering "No" to overwriting, that it created the new cert with SMTP without changing the UCC cert.  Is that a fair statement, and will this cause any problems?
0
 
tcampbell_ncAuthor Commented:
Let me also say that I have test mail flow in both directions and it seems to be working fine at this time.
0
 
Simon Butler (Sembee)ConsultantCommented:
All certificates get bound to the SMTP function by default.
You need to replace the default certificate.
Therefore I would remove the one that you have just created and run the command again, this time saying yes. Otherwise you will probably still get errors and warnings in the event logs.

Simon.
0
 
tcampbell_ncAuthor Commented:
I still have SMTP on the UCC Cert and there have been no errors, so I leave it alone for now.  Thanks for the assist.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.