locked
EventID: 12014 - Too many certificates? RRS feed

  • Question

  • This subject is a little out of my comfort zone.  Apologies for that.

    Our main server (2003 R2 Enterprise x64) runs Exchange Server 2007.  We do run a second server purely for Navision 3.7 running on Server 2000.

    We get 12014 events generated, athough everything appears to be working ok.  This has been going on for some time - I feel it is probably time to sort it out.

    lThe output from 'get-exchangecertificates |fl' is as follows:

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {'server', 'server'.'domain'}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN='server'
    NotAfter           : 11/03/2011 11:41:35
    NotBefore          : 11/03/2010 11:41:35
    PublicKeySize      : 2048
    RootCAType         : Unknown
    SerialNumber       : EB226DA878977597481E73A249EED86A
    Services           : SMTP
    Status             : Invalid
    Subject            : CN='server'
    Thumbprint         : 3BAEFB3868B5DC69EE11A94DAD7A557F8DD0C617

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mail.'domain', 'domain', autodiscover.braemac.c
                         o.uk}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=mail.'domain', O=xxxx, DC=xxxx, DC=co, DC=uk, C=UK
    NotAfter           : 12/01/2010 11:45:16
    NotBefore          : 12/01/2009 11:45:16
    PublicKeySize      : 2048
    RootCAType         : Unknown
    SerialNumber       : ED054CFF7483EBA146F8F354C5221B1A
    Services           : IMAP, POP, IIS, SMTP
    Status             : Invalid
    Subject            : CN=mail.'domain', O=xxxx, DC=xxxx, DC=co, DC=uk, C=UK
    Thumbprint         : 1DD9346DACCAA7A0D66886193ACB05A93D77A1E0

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {'server', 'server'.'domain'}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN='server'
    NotAfter           : 17/12/2009 16:00:23
    NotBefore          : 17/12/2008 16:00:23
    PublicKeySize      : 2048
    RootCAType         : Unknown
    SerialNumber       : 01107F71E00F8FB64174786382C6308D
    Services           : SMTP
    Status             : Invalid
    Subject            : CN='server'
    Thumbprint         : 94482634BB294A347D8887D9283C91BFA009BD65

    As can be seen all three certificates show as 'Invalid' and SMTP is under each certificate. Can I remove the two certificates showing only SMTP and leave the third? Will this sort out the 12014's or is there something else that needs to be done.

    TIA

    Alan Dean

    Wednesday, September 19, 2012 10:12 AM

Answers

  • On Wed, 19 Sep 2012 10:12:17 +0000, alandean wrote:
     
    >
    >
    >This subject is a little out of my comfort zone. Apologies for that.
    >
    >Our main server (2003 R2 Enterprise x64) runs Exchange Server 2007. We do run a second server purely for Navision 3.7 running on Server 2000.
    >
    >We get 12014 events generated, athough everything appears to be working ok. This has been going on for some time - I feel it is probably time to sort it out.
    >
    >lThe output from 'get-exchangecertificates |fl' is as follows:
    >
    >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {'server', 'server'.'domain'} HasPrivateKey : True IsSelfSigned : True Issuer : CN='server' NotAfter : 11/03/2011 11:41:35 NotBefore : 11/03/2010 11:41:35 PublicKeySize : 2048 RootCAType : Unknown SerialNumber : EB226DA878977597481E73A249EED86A Services : SMTP Status : Invalid Subject : CN='server' Thumbprint : 3BAEFB3868B5DC69EE11A94DAD7A557F8DD0C617
    >
    >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mail.'domain', 'domain', autodiscover.braemac.c o.uk} HasPrivateKey : True IsSelfSigned : True Issuer : CN=mail.'domain', O=xxxx, DC=xxxx, DC=co, DC=uk, C=UK NotAfter : 12/01/2010 11:45:16 NotBefore : 12/01/2009 11:45:16 PublicKeySize : 2048 RootCAType : Unknown SerialNumber : ED054CFF7483EBA146F8F354C5221B1A Services : IMAP, POP, IIS, SMTP Status : Invalid Subject : CN=mail.'domain', O=xxxx, DC=xxxx, DC=co, DC=uk, C=UK Thumbprint : 1DD9346DACCAA7A0D66886193ACB05A93D77A1E0
    >
    >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {'server', 'server'.'domain'} HasPrivateKey : True IsSelfSigned : True Issuer : CN='server' NotAfter : 17/12/2009 16:00:23 NotBefore : 17/12/2008 16:00:23 PublicKeySize : 2048 RootCAType : Unknown SerialNumber : 01107F71E00F8FB64174786382C6308D Services : SMTP Status : Invalid Subject : CN='server' Thumbprint : 94482634BB294A347D8887D9283C91BFA009BD65
    >
    >As can be seen all three certificates show as 'Invalid' and SMTP is under each certificate. Can I remove the two certificates showing only SMTP and leave the third? Will this sort out the 12014's or is there something else that needs to be done.
     
    They're all "self-signed" certs. Just create a new one
    (http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html)
    and then remove the expired certs from the certificate store.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, September 19, 2012 3:11 PM
  • Hi Alan,

    All three certificates are expired.  So yes, you may delete them all and you need a new one from a trusted CA.

    Refer to:

    http://support.microsoft.com/kb/555855

    http://blogs.technet.com/b/exchange/archive/2007/02/19/3400537.aspx

    Hope it is helpful.


    Fiona Liao

    TechNet Community Support

    Thursday, September 20, 2012 10:29 AM
    Moderator

All replies

  • On Wed, 19 Sep 2012 10:12:17 +0000, alandean wrote:
     
    >
    >
    >This subject is a little out of my comfort zone. Apologies for that.
    >
    >Our main server (2003 R2 Enterprise x64) runs Exchange Server 2007. We do run a second server purely for Navision 3.7 running on Server 2000.
    >
    >We get 12014 events generated, athough everything appears to be working ok. This has been going on for some time - I feel it is probably time to sort it out.
    >
    >lThe output from 'get-exchangecertificates |fl' is as follows:
    >
    >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {'server', 'server'.'domain'} HasPrivateKey : True IsSelfSigned : True Issuer : CN='server' NotAfter : 11/03/2011 11:41:35 NotBefore : 11/03/2010 11:41:35 PublicKeySize : 2048 RootCAType : Unknown SerialNumber : EB226DA878977597481E73A249EED86A Services : SMTP Status : Invalid Subject : CN='server' Thumbprint : 3BAEFB3868B5DC69EE11A94DAD7A557F8DD0C617
    >
    >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mail.'domain', 'domain', autodiscover.braemac.c o.uk} HasPrivateKey : True IsSelfSigned : True Issuer : CN=mail.'domain', O=xxxx, DC=xxxx, DC=co, DC=uk, C=UK NotAfter : 12/01/2010 11:45:16 NotBefore : 12/01/2009 11:45:16 PublicKeySize : 2048 RootCAType : Unknown SerialNumber : ED054CFF7483EBA146F8F354C5221B1A Services : IMAP, POP, IIS, SMTP Status : Invalid Subject : CN=mail.'domain', O=xxxx, DC=xxxx, DC=co, DC=uk, C=UK Thumbprint : 1DD9346DACCAA7A0D66886193ACB05A93D77A1E0
    >
    >AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {'server', 'server'.'domain'} HasPrivateKey : True IsSelfSigned : True Issuer : CN='server' NotAfter : 17/12/2009 16:00:23 NotBefore : 17/12/2008 16:00:23 PublicKeySize : 2048 RootCAType : Unknown SerialNumber : 01107F71E00F8FB64174786382C6308D Services : SMTP Status : Invalid Subject : CN='server' Thumbprint : 94482634BB294A347D8887D9283C91BFA009BD65
    >
    >As can be seen all three certificates show as 'Invalid' and SMTP is under each certificate. Can I remove the two certificates showing only SMTP and leave the third? Will this sort out the 12014's or is there something else that needs to be done.
     
    They're all "self-signed" certs. Just create a new one
    (http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html)
    and then remove the expired certs from the certificate store.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, September 19, 2012 3:11 PM
  • Hi Alan,

    All three certificates are expired.  So yes, you may delete them all and you need a new one from a trusted CA.

    Refer to:

    http://support.microsoft.com/kb/555855

    http://blogs.technet.com/b/exchange/archive/2007/02/19/3400537.aspx

    Hope it is helpful.


    Fiona Liao

    TechNet Community Support

    Thursday, September 20, 2012 10:29 AM
    Moderator
  • If no more questions on this thread, we may mark it as answered.

    Thanks.


    Fiona Liao

    TechNet Community Support

    Monday, September 24, 2012 2:24 AM
    Moderator