locked
Exchange certificate error RRS feed

  • Question

  • "Microsoft Exchange couldn't find a certificate that contains the domain name mail.gcc-usa.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default with a FQDN parameter of mail.gcc-usa.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key."

    This error message appeared in the event logs. I've seen some articles online about how to approach the issue, but I know little about Exchange and don't want to just jump in and change things randomly. Can anyone easily explain what this means and a safe way to approach it?

    Thanks!

    Thursday, March 8, 2012 3:55 PM

Answers

All replies

  • Please post the entire event log entry.  You can use the handy dandy "Copy to Clipboard" button in the event detail window for that.  Also specify the version, service pack and rollup hotfix level of your Exchange server.

    Are you trying to secure your SMTP mail?  If you don't care about that, you don't have to do anything; SMTP will send without SSL unless you're connecting to a server that requires it, and that would be unusual unless you have some kind of relationship with that organization.  Nobody requires SMTP for "regular" e-mail because what will happen is that they simply won't receive a lot of the e-mail people are trying to send them because many don't support SSL SMTP.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."


    Thursday, March 8, 2012 4:25 PM
  • Jgearhart, this means that you have this name on your Send connector and that there is no certificate on Exchange that has a name that matches "mail.gcc-usa.com".  Depending on which Exchange version you have, you can run get-exchangecertificate command in the Exchange Management Shell to see what certificates Exchange is using and what services it applies to:

    get-exchangecertificate |ft issuer,services,subject -autosize

    What you want to see is if the subject matches 'mail.gcc-usa.com'.  If there are no certificates that match that, then you either can get one or remove the name from the send connector.  If there is a certificate with that subject name it means that it is not being applied to the SMTP service.  Most places I work for use one certificate and it is used for SMTP and IIS.


    JAUCG

    • Proposed as answer by Fiona_Liao Monday, March 12, 2012 5:50 AM
    Thursday, March 8, 2012 4:27 PM
  • We definately need more info on this, since this behaviour can occur if a Receive Connector was created with a respond name that does not exist in the server certificate and TLS is enabled on the connector.
    Thursday, March 8, 2012 4:52 PM
  • the server is running Windows Server 2008 standard. It has the file services and web server role. Really only used for email. I just recently entered the IT field and have had little expierence with Exchange and email in general.

    Is there certain information i can look up to help this case?

    Thanks for the replies!

    Friday, March 9, 2012 1:16 PM
  • jgearhart,

    The posts above were to point you in the general direction of how to solve your issue.  First, follow Ed's directions and copy the entire event log entry here. Second, follow my post where you need to open up the Exchange Management Shell and run 'get-exchangecertificate |ft issuer,services,subject -autosize'.  Post those results here as well.


    JAUCG

    Friday, March 9, 2012 2:13 PM
  • The rest of the log:

    Log name: Application

    Source: MSExchangeTransport

    Event ID: 12014

    Level: Error

    User: N/A

    Logged: 3/8/2012 9:05:55 PM

    Task Catergory: Transport Service

    Keywords: Classic

    Computer: Keller-email.alliance.local

    Friday, March 9, 2012 8:37 PM
  • As for the Exchange shell command here is the output:

    WARNING: 2 colums do not fit into the display and were removed.

    Issuer

    SERIALNUMBER=10688435, CN=Starfield Secure Certification Authority, OU=http:...

    CN=alliance.local

    CN=Keller-email

    CN=Keller-email

    CN=Keller-email

    Friday, March 9, 2012 8:48 PM
  • As for the Exchange shell command here is the output:

    WARNING: 2 colums do not fit into the display and were removed.

    Issuer

    SERIALNUMBER=10688435, CN=Starfield Secure Certification Authority, OU=http:...

    CN=alliance.local

    CN=Keller-email

    CN=Keller-email

    CN=Keller-email


    You need to widen the window for the Exchange Management Shell.  Click on the upper left hand corner and select Properties.  Go to Layout and change the size of the window.  Then re-run the command.

    JAUCG

    Friday, March 9, 2012 9:34 PM
  • Any updates on this?

    JAUCG

    Sunday, March 11, 2012 3:11 PM
  •  

    Hi iqearhart,

    You may find the official explanation and the related articles in the following links (I assume it is Exchange 2007):

    Event: 12014

    http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12014&EvtSrc=MSExchangeTransport

    Event ID 12014 may appear in Exchange 2007 Application Event Log

    http://support.microsoft.com/kb/555855

    Event-ID 12014 "...could not find a certificate that contains the domain name ...."<//span>

    http://social.technet.microsoft.com/Forums/en-US/exchangesvrsecuremessaging/thread/20a7fde2-baf9-4a22-b297-6bde92ebbd2a


    Fiona Liao

    TechNet Community Support

    • Proposed as answer by Fiona_Liao Monday, March 12, 2012 5:51 AM
    • Marked as answer by Fiona_Liao Tuesday, March 20, 2012 7:29 AM
    Monday, March 12, 2012 5:50 AM
  • Sorry for the delay. Its been busy. I redid the commands with the cmd window maximized.

    Issure                             Services Subject

    IMAP, POP, IIS, SMTP      CN=mail.gcc-usa.com, OU=Domain Control Validated

    SMTP                             CN=alliance.local

    UM, SMTP                      CN=Keller-email

    SMTP                             CN=Keller-email

    Tuesday, March 13, 2012 12:38 PM
  • Let's try a different powershell command.  I cannot see how many certificates you have with the text you copied:

         get-exchangecertificate |ft serialnumber,services,certificatedomains -autosize


    JAUCG

    Tuesday, March 13, 2012 3:00 PM
  • Output of that command:

    Serial Number               Services                  CertificateDomains

    27950......                    IMAP,POP,IIS,SMTP  <mail.gcc-usa.com, www...

    0A97B......                   SMTP,                      <alliance.local>

    18E0C......                   SMTP,                      <Keller-email, Keller-....

    0C039.....                    UM, SMTP                <Keller-email, Keller-...

    Note: cmd window is maximized.

    Wednesday, March 14, 2012 3:57 PM