locked
Event-ID 12014 "...could not find a certificate that contains the domain name ...." RRS feed

  • Question

  • We use Exchange 2007 SP3 in our company and several times a day (every 15 to 30 Minutes) the following event occurs in Application-Log:

    Event Type: Error
    Event Source: MSExchangeTransport
    Event Category: TransportService
    Event ID: 12014
    Date:  04.08.2010
    Time:  10:55:54
    User:  N/A
    Computer: SERVER
    Description:
    Microsoft Exchange could not find a certificate that contains the domain name mail.cnd-net.at in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Internet with a FQDN parameter of mail.cnd-net.at. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

     

    When I run "enable-exchangecertificate -thumbprint xxxxxxxxx -services SMTP" I get this:

    [PS] C:\Documents and Settings\administrator>enable-exchangecertificate -thumbprint D0665AE869AD31392A34C574359FA60498DAFB63 -services SMTP
    WARNING: This certificate will not be used for external TLS connections with an  FQDN of 'mail.cnd-net.at' because the CA-signed certificate with thumbprint'025F606BA4D10858DF72FDC94CE6F1AD4812C033' takes precedence. The following connectors match that FQDN: Client SERVER.
    Confirm
    Overwrite existing default SMTP certificate,
    '38AF6CB62F2B6C955C4B5ACDEBA1BAD45DA49112' (expires 30.07.2015 10:43:17), with
    certificate 'D0665AE869AD31392A34C574359FA60498DAFB63' (expires 14.06.2010
    16:15:11)?
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
    (default is "Y"):s

    [PS] C:\Documents and Settings\administrator>enable-exchangecertificate -thumbpr
    int 025F606BA4D10858DF72FDC94CE6F1AD4812C033 -services SMTP

    Confirm
    Overwrite existing default SMTP certificate,
    '38AF6CB62F2B6C955C4B5ACDEBA1BAD45DA49112' (expires 30.07.2015 10:43:17), with
    certificate '025F606BA4D10858DF72FDC94CE6F1AD4812C033' (expires 13.12.2010
    22:20:51)?
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help

    The certificate expires in 2015????? So: Why does the event occur??

     

    Here´s the result of "Get-ExchangeCertificate | FL *"
    (in this list I shortened the contents of the fields "RawData" and "CertificateRequest"):

    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                           em.Security.AccessControl.CryptoKeyAccessRule, System.Se
                           curity.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {server, server.cnd-net.local}
    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : E028704057B80F9A142C35638F2261B2CB96F1D8
    RootCAType           : None
    Services             : IMAP, POP, SMTP
    Status               : Valid
    PrivateKeyExportable : False
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Crypt
                           ography.Oid, System.Security.Cryptography.Oid, System.Se
                           curity.Cryptography.Oid}
    FriendlyName         : Microsoft Exchange
    IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    NotAfter             : 30.07.2015 10:43:17
    NotBefore            : 30.07.2010 10:43:17
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, ...}
    SerialNumber         : 703C0FA6D9074B8B457D5F1B3C2BC098
    SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : 38AF6CB62F2B6C955C4B5ACDEBA1BAD45DA49112
    Version              : 3
    Handle               : 466708912
    Issuer               : CN=server
    Subject              : CN=server

    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                           em.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {server.cnd-net.local}
    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : False
    KeyIdentifier        : 00A08F384B2BD17ADD1287CE1D27640C823C3FE7
    RootCAType           : Enterprise
    Services             : None
    Status               : Valid
    PrivateKeyExportable : False
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Crypt
                           ography.Oid, System.Security.Cryptography.Oid, System.Se
                           curity.Cryptography.Oid, System.Security.Cryptography.Oi
                           d, System.Security.Cryptography.Oid, System.Security.Cry
                           ptography.Oid, System.Security.Cryptography.Oid, System.
                           Security.Cryptography.Oid}
    FriendlyName         : server.cnd-net.local
    IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    NotAfter             : 22.03.2011 12:33:26
    NotBefore            : 22.03.2010 12:33:26
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, ...}
    SerialNumber         : 11BDBDAE00000000001D
    SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : 261B9CC483E97A81221390B31E8C28E8B24E8619
    Version              : 3
    Handle               : 466579104
    Issuer               : CN=cnd-net Ing. Andreas Weiler, DC=cnd-net, DC=local
    Subject              : CN=server.cnd-net.local

    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                           em.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {mail.cnd-net.at, server, server.cnd-net.local, autodisc
                           over.cnd-net.at, autodiscover.cnd-net.local, autodiscove
                           r.server.cnd-net.local, mail.cnd.at, mail.cnd-net.eu, ma
                           il.computernotdienst.at, cnd-net.at, autodiscover.cnd-ne
                           t.eu, autodiscover.cndserver.at, autodiscover.cnd.at, au
                           todiscover.computernotdienst.at, autodiscover.weiler-bad
                           en.at, autodiscover.it-service-net.at...}
    CertificateRequest   :
    IisServices          : {IIS://server/W3SVC/1}
    IsSelfSigned         : False
    KeyIdentifier        : C39FAF13D650709B08DB9D920E62029259277737
    RootCAType           : Enterprise
    Services             : IMAP, POP, IIS
    Status               : Valid
    PrivateKeyExportable : True
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Crypt
                           ography.Oid, System.Security.Cryptography.Oid, System.Se
                           curity.Cryptography.Oid, System.Security.Cryptography.Oi
                           d, System.Security.Cryptography.Oid, System.Security.Cry
                           ptography.Oid, System.Security.Cryptography.Oid}
    FriendlyName         : cnd-net Exchange
    IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    NotAfter             : 13.12.2010 22:20:51
    NotBefore            : 13.12.2008 22:20:51
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, ...}
    SerialNumber         : 123DAA24000000000013
    SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : 025F606BA4D10858DF72FDC94CE6F1AD4812C033
    Version              : 3
    Handle               : 466072512
    Issuer               : CN=cnd-net Ing. Andreas Weiler, DC=cnd-net, DC=local
    Subject              : CN=mail.cnd-net.at, O=cnd-net.at, L=Baden, C=AT

    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                           em.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {cnd-net.at}
    CertificateRequest   : MIIFMT..............sUpSFjb575kOygJgGWk8fp+vaQX6kPm9OQ==G
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : F45034F98A9D1374BA7962A767E05ADB3AA91A02
    RootCAType           : Unknown
    Services             : None
    Status               : Invalid
    PrivateKeyExportable : False
    Archived             : False
    Extensions           : {}
    FriendlyName         : Microsoft Exchange
    IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    NotAfter             : 27.07.2009 03:10:23
    NotBefore            : 26.07.2008 21:10:23
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, ...}
    SerialNumber         : BF75DB485415F7904C5F699EE692B418
    SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : F78921C35CF0E8A2E5C744A06859DFA8096E4615
    Version              : 3
    Handle               : 1795984
    Issuer               : CN=cnd-net.at, O=cnd-net, DC=cnd-net Ing. Andreas Weiler
                           , C=NL
    Subject              : CN=cnd-net.at, O=cnd-net, DC=cnd-net Ing. Andreas Weiler
                           , C=NL

    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                           em.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {cnd-net.at}
    CertificateRequest   : MIIE7DCCA9QCAQAwYTEL.......GPRCJfmzg==kaXNjb3Zlci52
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : 470EEE8D210708F4FF018B5210C8A2EE1E53FD92
    RootCAType           : Unknown
    Services             : None
    Status               : Invalid
    PrivateKeyExportable : False
    Archived             : False
    Extensions           : {}
    FriendlyName         : Microsoft Exchange
    IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    NotAfter             : 27.07.2009 02:36:11
    NotBefore            : 26.07.2008 20:36:11
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, ...}
    SerialNumber         : ECBC48359B171E964FEFB15668779BAD
    SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : E0D0EBF324E6C8BAFC735EC701E76B83D17729F3
    Version              : 3
    Handle               : 1795840
    Issuer               : CN=cnd-net.at, O=cnd-net, DC=cnd-net Ing. Andreas Weiler
                           , C=NL
    Subject              : CN=cnd-net.at, O=cnd-net, DC=cnd-net Ing. Andreas Weiler
                           , C=NL

    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                           em.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {mail.cnd-net.at}
    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : False
    KeyIdentifier        : FFFD303D247BCF437DA934DB22287D34FF04E92C
    RootCAType           : Enterprise
    Services             : None
    Status               : DateInvalid
    PrivateKeyExportable : False
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Crypt
                           ography.Oid, System.Security.Cryptography.Oid, System.Se
                           curity.Cryptography.Oid, System.Security.Cryptography.Oi
                           d, System.Security.Cryptography.Oid, System.Security.Cry
                           ptography.Oid, System.Security.Cryptography.Oid}
    FriendlyName         : OWA
    IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    NotAfter             : 14.06.2010 16:15:11
    NotBefore            : 14.06.2008 16:15:11
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, ...}
    SerialNumber         : 61332EB8000000000006
    SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : D0665AE869AD31392A34C574359FA60498DAFB63
    Version              : 3
    Handle               : 466709056
    Issuer               : CN=cnd-net Ing. Andreas Weiler, DC=cnd-net, DC=local
    Subject              : CN=mail.cnd-net.at, OU=Service, O=cnd-net Ing. Weiler, L
                           =Baden, S=Austria, C=AT

    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                           em.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {}
    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : 3BCBC64319927C62440155DB42171315A5B485A8
    RootCAType           : Enterprise
    Services             : None
    Status               : Valid
    PrivateKeyExportable : True
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Crypt
                           ography.Oid, System.Security.Cryptography.Oid, System.Se
                           curity.Cryptography.Oid, System.Security.Cryptography.Oi
                           d, System.Security.Cryptography.Oid}
    FriendlyName         :
    IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    NotAfter             : 14.06.2013 00:14:14
    NotBefore            : 14.06.2008 00:08:15
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, ...}
    SerialNumber         : 3A52571BBFFE1FAA4C64CDE92267D043
    SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : 2B7B86DD0660DFE5595A04E14B7066E87B5D39CF
    Version              : 3
    Handle               : 466553248
    Issuer               : CN=cnd-net Ing. Andreas Weiler, DC=cnd-net, DC=local
    Subject              : CN=cnd-net Ing. Andreas Weiler, DC=cnd-net, DC=local

    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                           em.Security.AccessControl.CryptoKeyAccessRule, System.Se
                           curity.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {server, server.cnd-net.local}
    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : 93D48322E231C5EE8865AEBB361780A05AB804C4
    RootCAType           : Unknown
    Services             : IMAP, POP, SMTP
    Status               : Invalid
    PrivateKeyExportable : False
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Crypt
                           ography.Oid, System.Security.Cryptography.Oid, System.Se
                           curity.Cryptography.Oid}
    FriendlyName         : Microsoft Exchange
    IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    NotAfter             : 30.03.2009 22:25:50
    NotBefore            : 30.03.2008 22:25:50
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, ...}
    SerialNumber         : 6A5B5F8834C134BF4E8D903B28C04D8E
    SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                           guishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : 61003CBC6BC1E53EE5005ACA524EE54C02362441
    Version              : 3
    Handle               : 466553104
    Issuer               : CN=server
    Subject              : CN=server

    I´m not an Exchange expert and doesn´t know what to do now? Please give me instructions for beginners.
    Thanks in advance.
    Andreas

    Wednesday, August 4, 2010 11:28 AM

Answers

  • Hi,

     

    This error is caused by your certificate of the SMTP service that does not certain the your external domain name mail.cnd-net.at.

     

     

    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                           em.Security.AccessControl.CryptoKeyAccessRule, System.Se
                           curity.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {server, server.cnd-net.local}

    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : E028704057B80F9A142C35638F2261B2CB96F1D8
    RootCAType           : None
    Services             : IMAP, POP, SMTP
    Status               : Valid
    PrivateKeyExportable : False
    Archived             : False

     

     

    To resolve this problem, please follow these steps to generate a new certificate:

     

    Open EMS, type:

    New-exchangecertificate -domainName server, server.cnd-net.local, mail.cnd-net.at

     

     

    You will get a prompt to overwrite the default SMTP certificate. type A to overwrite it.

     

     

      

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks
    • Marked as answer by Gen Lin Thursday, August 12, 2010 9:13 AM
    Thursday, August 5, 2010 9:58 AM

All replies

  • Hi

    Start MMC console, add certificates (computer) and check in personal if you maybe have multiple certificates with that name


    Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog
    • Proposed as answer by DIgSILENT Monday, August 26, 2013 9:33 AM
    Wednesday, August 4, 2010 12:57 PM
  • Hi,

     

    This error is caused by your certificate of the SMTP service that does not certain the your external domain name mail.cnd-net.at.

     

     

    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                           em.Security.AccessControl.CryptoKeyAccessRule, System.Se
                           curity.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {server, server.cnd-net.local}

    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : E028704057B80F9A142C35638F2261B2CB96F1D8
    RootCAType           : None
    Services             : IMAP, POP, SMTP
    Status               : Valid
    PrivateKeyExportable : False
    Archived             : False

     

     

    To resolve this problem, please follow these steps to generate a new certificate:

     

    Open EMS, type:

    New-exchangecertificate -domainName server, server.cnd-net.local, mail.cnd-net.at

     

     

    You will get a prompt to overwrite the default SMTP certificate. type A to overwrite it.

     

     

      

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks
    • Marked as answer by Gen Lin Thursday, August 12, 2010 9:13 AM
    Thursday, August 5, 2010 9:58 AM
  • This name could be solved like Gen Lin said by creating a self signed certificate including that name or just using openssl and generate a certificate that matches that name and import it and enable it for smtp

     


    Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog
    Thursday, August 5, 2010 1:35 PM
  • Hello,

    Check the Event Viewer for Event ID 12014 and go through those Event Id & according to that create a Self sign certificate for SMTP service.

    For example :-- Run this cmd

    New-ExchangeCertificate -DomainName mail.cnd-net.at -Services SMTP

    After creating the Self sign certificate for SMTP service & restart the Transport service.

    It will help you.

     


    EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT
    Friday, August 6, 2010 10:33 PM
  • Hi,

    Excellent article, works perfect

    • Proposed as answer by desharma Wednesday, October 19, 2011 11:02 AM
    Wednesday, October 19, 2011 11:02 AM
  • Hi,

    Excellent article, works perfect

    There were several options to solve this problem....

    What did you DO that fixed your problem? Please do share as saying works perfect tells no one what you did to fix your specific issue and helps no one else.


    Thanks, Charlie

    Monday, March 11, 2013 4:04 PM
  • Can we add another smtp certificate without affecting existing SMTP certificate. ? 

    I tried to create new certificate but it asked us  to overwrite existing certificate.

    Saturday, July 13, 2013 1:11 AM
  • To resolve this problem, please follow these steps to generate a new certificate:

     

    Open EMS, type:

    New-exchangecertificate -domainName server, server.cnd-net.local, mail.cnd-net.at


    Hi Gen,

    I also have a similar issue where the error is listing the internal address whereas the Cert is covering the external.  i'm a bit concerned about creating a New Cert as the existing is not self generated.  Is there a way to just add the internal coverage to an existing Cert?

    Thursday, December 1, 2016 1:01 PM
  • I have the same question. Our internal exchange server has an external facing certificate.

    I found this simple fix and when prompted to overwrite my external cert, I selected cancel and now the SMTP service was added to the internal certificate and also still exists for the external. Not sure what effect it would have if I overwrite the external.

    https://technet.microsoft.com/en-CA/library/dd351257(v=exchg.141).aspx

    I restarted the server and no errors and improved performance accessing exchange.

    • Proposed as answer by Michael Rak Tuesday, January 10, 2017 10:40 PM
    • Unproposed as answer by Michael Rak Tuesday, January 10, 2017 10:40 PM
    • Edited by Michael Rak Wednesday, January 11, 2017 3:37 AM
    • Proposed as answer by Michael Rak Wednesday, January 11, 2017 3:37 AM
    Tuesday, January 10, 2017 10:18 PM
  • I have the same question. Our internal exchange server has an external facing certificate.

    I found this simple fix and when prompted to overwrite my external cert, I selected cancel and now the SMTP service was added to the internal certificate and also still exists for the external. Not sure what effect it would have if I overwrite the external.

    https://technet.microsoft.com/en-CA/library/dd351257(v=exchg.141).aspx

    I restarted the server and no errors and improved performance accessing exchange.

    Wowzer, great post, appreciated so much!  
    Friday, February 17, 2017 7:53 AM