Event ID 12014 – Microsoft Exchange could not find a certificate « MSExchangeGuru.com

 

This article outlines the steps involved to renew and enable and new certificate and remove old one from Exchange Management Shell.

 

This is event id logged:

 

Log Name    :     Application

 

Source        :     MSExchangeTransport

 

Date        :     6/22/2011 3:06:29 PM

 

Event ID        :     12014

 

Task Category    :     TransportService

 

Level        :     Error

 

Keywords    :     Classic

 

User        :     N/A

 

Computer    :     hub01.msexchangeguru.com

 

Description:

 

Microsoft Exchange could not find a certificate that contains the domain name hub01.msexchangeguru.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default HUB01 with a FQDN parameter of hub01.msexchangeguru.com. If the connector’s FQDN is not specified, the computer’s FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

 

1. Run this cmdlet in Exchange management shell on the HUB Server and copy the THUMBPRINT to a notepad

 

[PS] C:WindowsSystem32>Get-ExchangeCertificate |FL
AccessRules     : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains     : {hub01, hub01.msexchangeguru.com }
HasPrivateKey     : True
IsSelfSigned     : True
Issuer         : CN= hub01
NotAfter         : 8/20/2010 1:31:23 PM –> This has expired
NotBefore     : 8/20/2009 1:31:23 PM
PublicKeySize     : 2048
RootCAType     : Unknown
SerialNumber     : 2A7D56E59E654E3E48E15BDDDAE5BD43
Services         : SMTP
Status         : Invalid
Subject         : CN=nbe-vexch-hub1
Thumbprint     : A4530629717651BE6C4443FAC376F23412184CF3

 

2. Run this cmdlet:

 

Get-ExchangeCertificate -Thumbprint “A4530629717651BE6C4443FAC376F23412184CF3″ | New-ExchangeCertificate

 

Click Yes when prompted

 

3. Now type:

 

[PS] C:WindowsSystem32>Get-ExchangeCertificate |FL

 

AccessRules     : {System.Security.AccessControl.CryptoKeyAccessRule, System

 

.Security.AccessControl.CryptoKeyAccessRule, System.Securi

 

ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce

 

ssControl.CryptoKeyAccessRule}

 

CertificateDomains     : {hub01, hub01.msexchangeguru.com }

 

HasPrivateKey     : True

 

IsSelfSigned     : True

 

Issuer         : CN= hub01

 

NotAfter         : 6/22/2016 3:23:25 PM

 

NotBefore         : 6/22/2011 3:23:25 PM

 

PublicKeySize     : 2048

 

RootCAType     : None

 

SerialNumber     : 54852328E21942B34F3745DA0859BB34

 

Services         : SMTP

 

Status         : Valid

 

Subject         : CN= hub01

 

Thumbprint     : 3A25CDB554EF6DDF81D32C2D54873DSF7FE54F71

 

AccessRules     : {System.Security.AccessControl.CryptoKeyAccessRule, System

 

.Security.AccessControl.CryptoKeyAccessRule, System.Securi

 

ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce

 

ssControl.CryptoKeyAccessRule}

 

CertificateDomains     : {hub01, hub01.msexchangeguru.com }

 

HasPrivateKey     : True

 

IsSelfSigned     : True

 

Issuer         : CN= hub01

 

NotAfter         : 8/20/2010 1:31:23 PM

 

NotBefore         : 8/20/2009 1:31:23 PM

 

PublicKeySize     : 2048

 

RootCAType     : Unknown

 

SerialNumber     : 2A7D56E59E654E3E48E15BDDDAE5BD43

 

Services         : SMTP

 

Status         : Invalid

 

Subject         : CN= hub01

 

Thumbprint     : A4530629717651BE6C4443FAC376F23412184CF3

 

4. Now type:

 

[PS] C:WindowsSystem32>Enable-ExchangeCertificate -Thumbprint 3A25CDB554EF6DDF81D32C2D54873DSF7FE54F71 -Services SMTP

 

Remember that this THUMBPRINT is the one for the new Certificate which we just created and we are enabling it for SMTP

 

5. Remove the old certificate

 

[PS] C:WindowsSystem32>Remove-ExchangeCertificate -Thumbprint A4530629717651BE6C4443FAC376F23412184CF3

 

Just confirm Yes when prompted.

 

If you got the error:

 

Remove-ExchangeCertificate : The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate.

 

Parameter name: Thumbprint

 

At line:1 char:27

 

+ Remove-ExchangeCertificate <<<< -Thumbprint A4530629717651BE6C4443FAC376F23412184CF3

 

This is caused because you haven’t followed step4 properly and enabled the renewed certificate. So, exchange is still looking at the old one.

Just follow step 4 again and try to remove the certificate.