locked
Help! Event ID 12014 - Microsoft Exchange 2013 could not find a certificate!?!?!? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    Hello,

    I have this error on all my Exchange 2013 SP1 mailbox servers:

    "Microsoft Exchange could not find a certificate that contains the domain name "Chicago CAS FQDN" in the personal store on the local computer (looking at this error on LA MBX01). Therefore, it is unable to support the STARTTLS SMTP verb for the connector "OUTBOUNDTOIRONPORT" with a FQDN parameter of "Chicago CAS FQDN". If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certficate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate - Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key."

    I have 6 Exchange 2013 SP1 servers - all with CU6 (build 995.29).
    I have intersite DAG across two sites - LA & Chicago. 

    SITES
    LA:
    LA CAS - Windows 2012 
    LA MBX01 - Windows 2012
    LA MBX02 - Windows 2012

    Chicago:
    CH CAS - Windows 2012 R2
    CH MBX01 - Windows 2012
    CH MBX02 - Windows 2012

    1 DAG:
    Members - LA MBX01, LA MBX02, CH MBX01, CH MBX02.

    The certificate installed on both LA and Chicago CAS is an external certificate from DigiCert. All mail routing goes out via IronPort located in Chicago site. The SEND connector "OUTBOUNDTOIRONPORT" has the Chicago IronPort appliance is smarthost. All of the mailbox servers (DAG members) are added as SOURCE SERVERS in the connector. At some point, I'll be configuring a new SEND connector and enable SCOPED SEND Connectors. We also have another IronPort ready in LA site. 

    So, this error is confusing to me because the external certificate from DigiCert has SMTP services tied to it and outbound email is flowing from MBX servers to Chicago IronPort and out. As I understand, mailbox servers do not require external certificates only CAS because all connectivity is proxied through CAS servers. 

    What do I need to do to get rid of that error? Thanks!
    Thursday, September 18, 2014 8:13 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    You must have a certificate enabled for SMTP that has the FQDN that is used to connect to the server.  I can't tell what you have because you didn't tell us.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    • Marked as answer by Mavis_Huang Saturday, September 27, 2014 10:31 AM
    Sunday, September 21, 2014 7:01 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Rock07,

    I find a related link for your reference:

    Event ID 12014 – Microsoft Exchange could not find a certificate

    http://msexchangeguru.com/2011/06/22/event12014/

    Disclaimer:

    Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    More details:

    1. Run this cmdlet in Exchange management shell and copy the THUMBPRINT to a notepad:

    Get-ExchangeCertificate |FL

    2. Get-ExchangeCertificate -Thumbprint “A4530629717651BE6C4443FAC376F23412184CF3″ | New-ExchangeCertificate

    Click Yes when prompted

    3. Run Get-ExchangeCertificate |FL to get both new and old certificate Thumbprint.

    4. Enable-ExchangeCertificate -Thumbprint 3A25CDB554EF6DDF81D32C2D54873DSF7FE54F71 -Services SMTP

    Remember that this THUMBPRINT is the one for the new Certificate which we just created and we are enabling it for SMTP

    5. To remove old certificate, run Remove-ExchangeCertificate -Thumbprint A4530629717651BE6C4443FAC376F23412184CF3

     

    Thanks

    Mavis Huang
    TechNet Community Support

    • Marked as answer by Mavis_Huang Saturday, September 27, 2014 10:31 AM
    Thursday, September 25, 2014 3:41 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    You must have a certificate enabled for SMTP that has the FQDN that is used to connect to the server.  I can't tell what you have because you didn't tell us.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    • Marked as answer by Mavis_Huang Saturday, September 27, 2014 10:31 AM
    Sunday, September 21, 2014 7:01 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi ,

    In addition to ED'S suggestion and for your reference ,please have look in to the similar links .

    http://social.technet.microsoft.com/Forums/exchange/en-US/35dd59a2-d012-4fea-b35f-cd685e0a47e1/msexchangetransport-12014-3rd-party-ssl-certificate-does-not-match-internal-domain-name?forum=exchangesvrsecuremessaginglegacy

    http://social.technet.microsoft.com/forums/exchange/en-US/d456cb19-0de7-4997-869d-b55779624199/event-id-12014-unusual-config

    http://social.technet.microsoft.com/Forums/en-US/bbccac7e-7f52-4495-8c10-c9049089ecbd/msexchangetransport-event-id-12014-in-exchange-server-2010

    Regards

    S.Nithyanandham

    Thanks S.Nithyanandham

    Sunday, September 21, 2014 9:59 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Rock07,

    I find a related link for your reference:

    Event ID 12014 – Microsoft Exchange could not find a certificate

    http://msexchangeguru.com/2011/06/22/event12014/

    Disclaimer:

    Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    More details:

    1. Run this cmdlet in Exchange management shell and copy the THUMBPRINT to a notepad:

    Get-ExchangeCertificate |FL

    2. Get-ExchangeCertificate -Thumbprint “A4530629717651BE6C4443FAC376F23412184CF3″ | New-ExchangeCertificate

    Click Yes when prompted

    3. Run Get-ExchangeCertificate |FL to get both new and old certificate Thumbprint.

    4. Enable-ExchangeCertificate -Thumbprint 3A25CDB554EF6DDF81D32C2D54873DSF7FE54F71 -Services SMTP

    Remember that this THUMBPRINT is the one for the new Certificate which we just created and we are enabling it for SMTP

    5. To remove old certificate, run Remove-ExchangeCertificate -Thumbprint A4530629717651BE6C4443FAC376F23412184CF3

     

    Thanks

    Mavis Huang
    TechNet Community Support

    • Marked as answer by Mavis_Huang Saturday, September 27, 2014 10:31 AM
    Thursday, September 25, 2014 3:41 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    So, which certificate thumbprint am I enabling SMTP services on? My externally signed certificate or mailbox server's self-signed one?

    I've been sidetracked with other projects and just remembered this is still an outstanding issue. Its not affecting mail flow but the error is confusing.

    Tuesday, October 14, 2014 9:25 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    You can bind multiple certificates to SMTP.  At a minimum you should bind the self-signed certificate that Exchange created (or a new one if it expired) because that's what Exchange uses for communication between servers.  You should also bind one or more certificates with CNs and SANs that match the hostnames that are used to communicate via SMTP.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Tuesday, October 14, 2014 9:57 PM