Thursday, 5 November 2015

Exchange 2013, 2016: Event 12014 - Exchange could not find a certificate that matches the domain name

This error is quite common and is generally ignored by administrators because it doesn’t usually cause any problems but we’ll look at how to fix it in this post. The full error is below:

Microsoft Exchange could not find a certificate that contains the domain name litex01.litwareinc.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Intra-Organization SMTP Send Connector with a FQDN parameter of litex01.litwareinc.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.


Event ID 12014 Explanation

When Exchange needs to send an email using TLS, such as internal emails between Exchange servers, it requires a certificate that can is enabled for SMTP and has a name that matches the FQDN on the send connectors and receive connectors.

The problem here is that Exchange cannot find a certificate which has the required name. In my example above, my server FQDN is litex01.litwareinc.com and we can confirm that no certificates have this name by running the below command:

Get-ExchangeCertificate | fl Thumbprint,CertificateDomains,IsSelfSigned,Services


image


How to fix Event ID 12014

When Exchange is first installed, this error is not logged. The reason is that Exchange installs a self-signed certificate with the hostname and FQDN of the server, i.e. litex01 and litex01.litwareinc.com in our case.

To recreate the self-signed certificate and assign it to the SMTP service, run the command below:

New-ExchangeCertificate -Force


image


We can now confirm that the certificate has the correct names and is assigned to the SMTP service:

Get-ExchangeCertificate | fl Thumbprint,CertificateDomains,IsSelfSigned,Services


image


This should now stop event ID 12014 being logged.

1 comment:

  1. An interesting dialogue is price comment. I feel that it is best to write more on this matter, it may not be a taboo topic however usually individuals are not enough to talk on such topics. To the next. Cheers.
    swiss taxi

    ReplyDelete