Event-ID 12014 "...could not find a certificate that contains the domain name ...."
-
Wednesday, August 04, 2010 11:28 AM
We use Exchange 2007 SP3 in our company and several times a day (every 15 to 30 Minutes) the following event occurs in Application-Log:
Event Type: Error
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12014
Date: 04.08.2010
Time: 10:55:54
User: N/A
Computer: SERVER
Description:
Microsoft Exchange could not find a certificate that contains the domain name mail.cnd-net.at in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Internet with a FQDN parameter of mail.cnd-net.at. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.When I run "enable-exchangecertificate -thumbprint xxxxxxxxx -services SMTP" I get this:
[PS] C:\Documents and Settings\administrator>enable-exchangecertificate -thumbprint D0665AE869AD31392A34C574359FA60498DAFB63 -services SMTP
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'mail.cnd-net.at' because the CA-signed certificate with thumbprint'025F606BA4D10858DF72FDC94CE6F1AD4812C033' takes precedence. The following connectors match that FQDN: Client SERVER.
Confirm
Overwrite existing default SMTP certificate,
'38AF6CB62F2B6C955C4B5ACDEBA1BAD45DA49112' (expires 30.07.2015 10:43:17), with
certificate 'D0665AE869AD31392A34C574359FA60498DAFB63' (expires 14.06.2010
16:15:11)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):s[PS] C:\Documents and Settings\administrator>enable-exchangecertificate -thumbpr
int 025F606BA4D10858DF72FDC94CE6F1AD4812C033 -services SMTP
Confirm
Overwrite existing default SMTP certificate,
'38AF6CB62F2B6C955C4B5ACDEBA1BAD45DA49112' (expires 30.07.2015 10:43:17), with
certificate '025F606BA4D10858DF72FDC94CE6F1AD4812C033' (expires 13.12.2010
22:20:51)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] HelpThe certificate expires in 2015????? So: Why does the event occur??
Here´s the result of "Get-ExchangeCertificate | FL *"
(in this list I shortened the contents of the fields "RawData" and "CertificateRequest"):AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
em.Security.AccessControl.CryptoKeyAccessRule, System.Se
curity.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server, server.cnd-net.local}
CertificateRequest :
IisServices : {}
IsSelfSigned : True
KeyIdentifier : E028704057B80F9A142C35638F2261B2CB96F1D8
RootCAType : None
Services : IMAP, POP, SMTP
Status : Valid
PrivateKeyExportable : False
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Crypt
ography.Oid, System.Security.Cryptography.Oid, System.Se
curity.Cryptography.Oid}
FriendlyName : Microsoft Exchange
IssuerName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
NotAfter : 30.07.2015 10:43:17
NotBefore : 30.07.2010 10:43:17
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, ...}
SerialNumber : 703C0FA6D9074B8B457D5F1B3C2BC098
SubjectName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : 38AF6CB62F2B6C955C4B5ACDEBA1BAD45DA49112
Version : 3
Handle : 466708912
Issuer : CN=server
Subject : CN=serverAccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
em.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server.cnd-net.local}
CertificateRequest :
IisServices : {}
IsSelfSigned : False
KeyIdentifier : 00A08F384B2BD17ADD1287CE1D27640C823C3FE7
RootCAType : Enterprise
Services : None
Status : Valid
PrivateKeyExportable : False
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Crypt
ography.Oid, System.Security.Cryptography.Oid, System.Se
curity.Cryptography.Oid, System.Security.Cryptography.Oi
d, System.Security.Cryptography.Oid, System.Security.Cry
ptography.Oid, System.Security.Cryptography.Oid, System.
Security.Cryptography.Oid}
FriendlyName : server.cnd-net.local
IssuerName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
NotAfter : 22.03.2011 12:33:26
NotBefore : 22.03.2010 12:33:26
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, ...}
SerialNumber : 11BDBDAE00000000001D
SubjectName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : 261B9CC483E97A81221390B31E8C28E8B24E8619
Version : 3
Handle : 466579104
Issuer : CN=cnd-net Ing. Andreas Weiler, DC=cnd-net, DC=local
Subject : CN=server.cnd-net.localAccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
em.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.cnd-net.at, server, server.cnd-net.local, autodisc
over.cnd-net.at, autodiscover.cnd-net.local, autodiscove
r.server.cnd-net.local, mail.cnd.at, mail.cnd-net.eu, ma
il.computernotdienst.at, cnd-net.at, autodiscover.cnd-ne
t.eu, autodiscover.cndserver.at, autodiscover.cnd.at, au
todiscover.computernotdienst.at, autodiscover.weiler-bad
en.at, autodiscover.it-service-net.at...}
CertificateRequest :
IisServices : {IIS://server/W3SVC/1}
IsSelfSigned : False
KeyIdentifier : C39FAF13D650709B08DB9D920E62029259277737
RootCAType : Enterprise
Services : IMAP, POP, IIS
Status : Valid
PrivateKeyExportable : True
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Crypt
ography.Oid, System.Security.Cryptography.Oid, System.Se
curity.Cryptography.Oid, System.Security.Cryptography.Oi
d, System.Security.Cryptography.Oid, System.Security.Cry
ptography.Oid, System.Security.Cryptography.Oid}
FriendlyName : cnd-net Exchange
IssuerName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
NotAfter : 13.12.2010 22:20:51
NotBefore : 13.12.2008 22:20:51
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, ...}
SerialNumber : 123DAA24000000000013
SubjectName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : 025F606BA4D10858DF72FDC94CE6F1AD4812C033
Version : 3
Handle : 466072512
Issuer : CN=cnd-net Ing. Andreas Weiler, DC=cnd-net, DC=local
Subject : CN=mail.cnd-net.at, O=cnd-net.at, L=Baden, C=ATAccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
em.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {cnd-net.at}
CertificateRequest : MIIFMT..............sUpSFjb575kOygJgGWk8fp+vaQX6kPm9OQ==G
IisServices : {}
IsSelfSigned : True
KeyIdentifier : F45034F98A9D1374BA7962A767E05ADB3AA91A02
RootCAType : Unknown
Services : None
Status : Invalid
PrivateKeyExportable : False
Archived : False
Extensions : {}
FriendlyName : Microsoft Exchange
IssuerName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
NotAfter : 27.07.2009 03:10:23
NotBefore : 26.07.2008 21:10:23
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, ...}
SerialNumber : BF75DB485415F7904C5F699EE692B418
SubjectName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : F78921C35CF0E8A2E5C744A06859DFA8096E4615
Version : 3
Handle : 1795984
Issuer : CN=cnd-net.at, O=cnd-net, DC=cnd-net Ing. Andreas Weiler
, C=NL
Subject : CN=cnd-net.at, O=cnd-net, DC=cnd-net Ing. Andreas Weiler
, C=NLAccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
em.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {cnd-net.at}
CertificateRequest : MIIE7DCCA9QCAQAwYTEL.......GPRCJfmzg==kaXNjb3Zlci52
IisServices : {}
IsSelfSigned : True
KeyIdentifier : 470EEE8D210708F4FF018B5210C8A2EE1E53FD92
RootCAType : Unknown
Services : None
Status : Invalid
PrivateKeyExportable : False
Archived : False
Extensions : {}
FriendlyName : Microsoft Exchange
IssuerName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
NotAfter : 27.07.2009 02:36:11
NotBefore : 26.07.2008 20:36:11
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, ...}
SerialNumber : ECBC48359B171E964FEFB15668779BAD
SubjectName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : E0D0EBF324E6C8BAFC735EC701E76B83D17729F3
Version : 3
Handle : 1795840
Issuer : CN=cnd-net.at, O=cnd-net, DC=cnd-net Ing. Andreas Weiler
, C=NL
Subject : CN=cnd-net.at, O=cnd-net, DC=cnd-net Ing. Andreas Weiler
, C=NLAccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
em.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.cnd-net.at}
CertificateRequest :
IisServices : {}
IsSelfSigned : False
KeyIdentifier : FFFD303D247BCF437DA934DB22287D34FF04E92C
RootCAType : Enterprise
Services : None
Status : DateInvalid
PrivateKeyExportable : False
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Crypt
ography.Oid, System.Security.Cryptography.Oid, System.Se
curity.Cryptography.Oid, System.Security.Cryptography.Oi
d, System.Security.Cryptography.Oid, System.Security.Cry
ptography.Oid, System.Security.Cryptography.Oid}
FriendlyName : OWA
IssuerName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
NotAfter : 14.06.2010 16:15:11
NotBefore : 14.06.2008 16:15:11
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, ...}
SerialNumber : 61332EB8000000000006
SubjectName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : D0665AE869AD31392A34C574359FA60498DAFB63
Version : 3
Handle : 466709056
Issuer : CN=cnd-net Ing. Andreas Weiler, DC=cnd-net, DC=local
Subject : CN=mail.cnd-net.at, OU=Service, O=cnd-net Ing. Weiler, L
=Baden, S=Austria, C=ATAccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
em.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {}
CertificateRequest :
IisServices : {}
IsSelfSigned : True
KeyIdentifier : 3BCBC64319927C62440155DB42171315A5B485A8
RootCAType : Enterprise
Services : None
Status : Valid
PrivateKeyExportable : True
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Crypt
ography.Oid, System.Security.Cryptography.Oid, System.Se
curity.Cryptography.Oid, System.Security.Cryptography.Oi
d, System.Security.Cryptography.Oid}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
NotAfter : 14.06.2013 00:14:14
NotBefore : 14.06.2008 00:08:15
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, ...}
SerialNumber : 3A52571BBFFE1FAA4C64CDE92267D043
SubjectName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : 2B7B86DD0660DFE5595A04E14B7066E87B5D39CF
Version : 3
Handle : 466553248
Issuer : CN=cnd-net Ing. Andreas Weiler, DC=cnd-net, DC=local
Subject : CN=cnd-net Ing. Andreas Weiler, DC=cnd-net, DC=localAccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
em.Security.AccessControl.CryptoKeyAccessRule, System.Se
curity.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server, server.cnd-net.local}
CertificateRequest :
IisServices : {}
IsSelfSigned : True
KeyIdentifier : 93D48322E231C5EE8865AEBB361780A05AB804C4
RootCAType : Unknown
Services : IMAP, POP, SMTP
Status : Invalid
PrivateKeyExportable : False
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Crypt
ography.Oid, System.Security.Cryptography.Oid, System.Se
curity.Cryptography.Oid}
FriendlyName : Microsoft Exchange
IssuerName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
NotAfter : 30.03.2009 22:25:50
NotBefore : 30.03.2008 22:25:50
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, ...}
SerialNumber : 6A5B5F8834C134BF4E8D903B28C04D8E
SubjectName : System.Security.Cryptography.X509Certificates.X500Distin
guishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : 61003CBC6BC1E53EE5005ACA524EE54C02362441
Version : 3
Handle : 466553104
Issuer : CN=server
Subject : CN=serverI´m not an Exchange expert and doesn´t know what to do now? Please give me instructions for beginners.
Thanks in advance.
Andreas
All Replies
-
Wednesday, August 04, 2010 12:57 PM
Hi
Start MMC console, add certificates (computer) and check in personal if you maybe have multiple certificates with that name
Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog -
Thursday, August 05, 2010 9:58 AM
Hi,
This error is caused by your certificate of the SMTP service that does not certain the your external domain name mail.cnd-net.at.
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
em.Security.AccessControl.CryptoKeyAccessRule, System.Se
curity.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {server, server.cnd-net.local}
CertificateRequest :
IisServices : {}
IsSelfSigned : True
KeyIdentifier : E028704057B80F9A142C35638F2261B2CB96F1D8
RootCAType : None
Services : IMAP, POP, SMTP
Status : Valid
PrivateKeyExportable : False
Archived : FalseTo resolve this problem, please follow these steps to generate a new certificate:
Open EMS, type:
New-exchangecertificate -domainName server, server.cnd-net.local, mail.cnd-net.at
You will get a prompt to overwrite the default SMTP certificate. type A to overwrite it.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks- Marked As Answer by Gen Lin Thursday, August 12, 2010 9:13 AM
-
Thursday, August 05, 2010 1:35 PM
This name could be solved like Gen Lin said by creating a self signed certificate including that name or just using openssl and generate a certificate that matches that name and import it and enable it for smtp
Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog -
Friday, August 06, 2010 10:33 PM
Hello,
Check the Event Viewer for Event ID 12014 and go through those Event Id & according to that create a Self sign certificate for SMTP service.
For example :-- Run this cmd
New-ExchangeCertificate -DomainName mail.cnd-net.at -Services SMTP
After creating the Self sign certificate for SMTP service & restart the Transport service.
It will help you.
EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT- Proposed As Answer by PKT_ Friday, August 06, 2010 10:33 PM
-
Wednesday, October 19, 2011 11:02 AM
Hi,
Excellent article, works perfect
- Proposed As Answer by desharma Wednesday, October 19, 2011 11:02 AM
-
Monday, March 11, 2013 4:04 PM
Hi,
Excellent article, works perfect
There were several options to solve this problem....
What did you DO that fixed your problem? Please do share as saying works perfect tells no one what you did to fix your specific issue and helps no one else.
Thanks, Charlie
.png)
