locked
certificate warning/error 12014 & 12023 RRS feed

  • Question

  • im receiving the following error on my exchange server:

    Source: MSExchangeTransport Category:TransportService EventID: 12014

    Microsoft Exchange couldn't find a certificate that contains the domain name mail.mydomain.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Outgoing SMTP Connector with a FQDN parameter of mail.mydomain.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

    EventID: 12023

    Microsoft Exchange could not load the certificate with thumbprint of 6F198AF9E32927C2F1BBB14490719E6295F262F0 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate 6F198AF9E32927C2F1BBB14490719E6295F262F0 -Services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, the certificate with thumbprint D2344BAD8249C7156FA960065B308AA7942B3407 is being used.

    I dont even see the 6F198.... certificate in the personal store on my exchange server. will this warning go away when i enable my valid certificate as outlined in the support article below, or will i need to do something else to remove this warning?

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    i have followed these directions: http://support.microsoft.com/default.aspx?scid=kb;en-us;555855  but when i execute the command all i see is >> in the shell. am i missing something, did i do something wrong.  one thing i noticed  is there's a quotation mark at the beginning of the command and i didnt know if that needed to be there since i dont see a closing quotation mark anywhere.  also do i need to put SMTP in quotes as well like the article shows? do i need to restart the server, or will this change take effect without the need of restarting? if i need to restart can i just stop the services and restart them?

    Sunday, January 23, 2011 6:44 AM

Answers

  • PS] C:\>Get-ExchangeCertificate

    Thumbprint                                Services   Subject
    ----------                                --------   -------
    C825AF1799092691FBBDE5D74CED00A7CE0C2DD8  IPUWS.     CN=mail.domain.com, OU=MS, O=Organization, L=location, S=State...
    0E0D0054620D996193621BA7BDDB32E82FCB60D9  IP..S.     CN=Servername

    Now if you were to look at your Receive Connectors, you will see a Default Receive Connector.  This connector should only have an FQDN of blank, server FQDN, or server shortname.  

    So for example, taking a look at the Default Receive Connector, we can take a look at the FQDN:
    [PS] C:\>get-receiveconnector -Server servername | Where-Object {$_.Identity -like "*Default*"} | FL Identity,FQDN


    Identity : servername\Default servername
    Fqdn     : servername

    The TLS selection process for Opportunistic TLS means that it try TLS using a certificate that is enabled for the service SMTP and matches the FQDN of the Default Receive Connector.  So you'll need a certificate enabled for SMTP that matches the FQDN on that default Receive Connector.  The self-signed certificate is a SAN cert that has both the servername and servername FQDN.  If you created a new self-signed certificate, you'll want to make sure you enable it for SMTP.

    Get-ExchangeCertificate -thumbprint Thumbprint | Enable-ExchangeCertificate -services SMTP.  

     

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Gen Lin Friday, January 28, 2011 2:36 AM
    Sunday, January 23, 2011 6:54 AM

All replies

  • PS] C:\>Get-ExchangeCertificate

    Thumbprint                                Services   Subject
    ----------                                --------   -------
    C825AF1799092691FBBDE5D74CED00A7CE0C2DD8  IPUWS.     CN=mail.domain.com, OU=MS, O=Organization, L=location, S=State...
    0E0D0054620D996193621BA7BDDB32E82FCB60D9  IP..S.     CN=Servername

    Now if you were to look at your Receive Connectors, you will see a Default Receive Connector.  This connector should only have an FQDN of blank, server FQDN, or server shortname.  

    So for example, taking a look at the Default Receive Connector, we can take a look at the FQDN:
    [PS] C:\>get-receiveconnector -Server servername | Where-Object {$_.Identity -like "*Default*"} | FL Identity,FQDN


    Identity : servername\Default servername
    Fqdn     : servername

    The TLS selection process for Opportunistic TLS means that it try TLS using a certificate that is enabled for the service SMTP and matches the FQDN of the Default Receive Connector.  So you'll need a certificate enabled for SMTP that matches the FQDN on that default Receive Connector.  The self-signed certificate is a SAN cert that has both the servername and servername FQDN.  If you created a new self-signed certificate, you'll want to make sure you enable it for SMTP.

    Get-ExchangeCertificate -thumbprint Thumbprint | Enable-ExchangeCertificate -services SMTP.  

     

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Gen Lin Friday, January 28, 2011 2:36 AM
    Sunday, January 23, 2011 6:54 AM
  • Any update for your issue?
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, January 27, 2011 10:21 AM
  • Hi,

    I can not find the certificate that the system is reporting, and it is not listed when running the command Get-Exchangecertificate, and can not remove it because it is not found

    do I have to recreate it? or ....?

    Thank you

    Friday, December 12, 2014 6:16 PM
  • This link was very helpful to me : http://www.eventid.net/display-eventid-12023-source-MSExchangeTransport-eventno-11144-phase-1.htm

    Basically, I went in EMC / Server Configuration, and reassigned same services to my new certificate. I was asked to "Overwrite existing default SMTP certificate" and answered Yes.

    Tuesday, May 12, 2015 6:12 PM