locked
Exch 2007 Event 12024 error - which certificate?? RRS feed

  • Question

  • Hi all,

     

    Single domain with 1 single SBS2008 server hosting Exchange 2007

     

    My SBS/Exchange server is logging Event 12024 warning

    Microsoft Exchange could not load the certificate with thumbprint of 95CF50927D622D57DC9867C0463D37A403E07955 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate 95CF50927D622D57DC9867C0463D37A403E07955 -services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP.

     

    Then 12024 error

    Microsoft Exchange could not find a certificate that contains the domain name servername.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default SBS2008 with a FQDN parameter of servername.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

     

    Output of get-exchangecertificate is

     

     

    [PS] C:\Windows\System32>get-ExchangeCertificate

     

    Thumbprint                                Services   Subject

    ----------                                --------   -------

    B2572B4A9F38337EDC3AD51A03EE9526F0D7E32C  ...WS      CN=mail.mydomainurl...

    869BB66FF07960D6EE97264D128A9F1F7296A71C  IP...      CN=servername.domain.local

    3C4BB921B853E7FF791900FBDE46740B86D4092F  IP...      CN=servername.domain.local

    28FD6BE168CB454612C2D12EB9DB8812A982D491  IP...      CN=servername.domain.local

    0246E4424A8308FFE1445828C767024C992B29B7  IP...      CN=servername.domain.local

    4A6B346F4EE7EA3225CA5B6A9826FD99EAA33FE2  IP...      CN=servername.domain.local

    5E6484EE8D2C17D977CE41FA7F02B566F1A275CA  .....      CN=domainname-servername-CA

    84AE8DF011FADDC09CE29F2CBF02D957C3F6C49F  .....      CN=WMSvc-WIN-Z3AAY969MFP

     

    The top thumbprint is my 3rd party Verisign SSL certificate that we use for our RWW/ OWA etc

     

    The store is missing certificates as out of date certificates were deleted from the store.

    Mail still works fine but what do i do to sort this error out please?

     

    Looked at http://support.microsoft.com/kb/555855 but there are 5 thumbprints that use the FQDN so how do i know what to choose?

     

    Please help me

     

    Thanks


    • Edited by Fulgent Tuesday, January 31, 2012 9:52 AM
    Tuesday, January 31, 2012 9:51 AM

Answers

  • Hi Fulgent,

    Run the following commands:

    New-ExchangeCertificate -domainname servername.domain.local

    Here the domain name must be the domain mentioned in the event,

    Copy the new thumbprint

    Then run :

    Enable-exchangeCertificate -thumbprint paste the thumprint -services SMTP,IMAP,POP

    Then restart the transport service.

    IIS service should run on the 3rd party service for OWA and for SMTP,POP and IMAP you may use an exisiting certificate which is not expired.

    All you have to do is the run the second command enable-exch..... with the thumbprint and mention the services you want to enable. This should take care of the event. There is no harm in creating a new certificate.

    Cheers! 

     

     


    Vinit Nair MCSE | MCITP - Exchange 2007 "Sanity and happiness are an impossible combination."
    • Proposed as answer by Vinit M Nair Thursday, February 2, 2012 11:15 AM
    • Marked as answer by Terence Yu Wednesday, February 8, 2012 7:45 AM
    Tuesday, January 31, 2012 10:20 AM

All replies

  • Hi Fulgent,

    Run the following commands:

    New-ExchangeCertificate -domainname servername.domain.local

    Here the domain name must be the domain mentioned in the event,

    Copy the new thumbprint

    Then run :

    Enable-exchangeCertificate -thumbprint paste the thumprint -services SMTP,IMAP,POP

    Then restart the transport service.

    IIS service should run on the 3rd party service for OWA and for SMTP,POP and IMAP you may use an exisiting certificate which is not expired.

    All you have to do is the run the second command enable-exch..... with the thumbprint and mention the services you want to enable. This should take care of the event. There is no harm in creating a new certificate.

    Cheers! 

     

     


    Vinit Nair MCSE | MCITP - Exchange 2007 "Sanity and happiness are an impossible combination."
    • Proposed as answer by Vinit M Nair Thursday, February 2, 2012 11:15 AM
    • Marked as answer by Terence Yu Wednesday, February 8, 2012 7:45 AM
    Tuesday, January 31, 2012 10:20 AM
  • Hi Fulgent,

     

     

    Create the new certificate and enable that certificate with SMTP service.

     

    This will require MS Exchange transport service restart.

     

     

     

     

    Regards,

    Mukram.

     

    Tuesday, January 31, 2012 12:40 PM