MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Event ID 12014 – Microsoft Exchange could not find a certificate

This article outlines the steps involved to renew and enable and new certificate and remove old one from Exchange Management Shell.

This is event id logged:

Log Name    :     Application

Source        :     MSExchangeTransport

Date        :     6/22/2011 3:06:29 PM

Event ID        :     12014

Task Category    :     TransportService

Level        :     Error

Keywords    :     Classic

User        :     N/A

Computer    :     hub01.msexchangeguru.com

Description:

Microsoft Exchange could not find a certificate that contains the domain name hub01.msexchangeguru.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default HUB01 with a FQDN parameter of hub01.msexchangeguru.com. If the connector’s FQDN is not specified, the computer’s FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

1. Run this cmdlet in Exchange management shell on the HUB Server and copy the THUMBPRINT to a notepad

[PS] C:\Windows\System32>Get-ExchangeCertificate |FL
AccessRules     : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains     : {hub01, hub01.msexchangeguru.com }
HasPrivateKey     : True
IsSelfSigned     : True
Issuer         : CN= hub01
NotAfter         : 8/20/2010 1:31:23 PM –> This has expired
NotBefore     : 8/20/2009 1:31:23 PM
PublicKeySize     : 2048
RootCAType     : Unknown
SerialNumber     : 2A7D56E59E654E3E48E15BDDDAE5BD43
Services         : SMTP
Status         : Invalid
Subject         : CN=nbe-vexch-hub1
Thumbprint     : A4530629717651BE6C4443FAC376F23412184CF3

2. Run this cmdlet:

Get-ExchangeCertificate -Thumbprint “A4530629717651BE6C4443FAC376F23412184CF3″ | New-ExchangeCertificate

Click Yes when prompted

3. Now type:

[PS] C:\Windows\System32>Get-ExchangeCertificate |FL

AccessRules     : {System.Security.AccessControl.CryptoKeyAccessRule, System

.Security.AccessControl.CryptoKeyAccessRule, System.Securi

ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce

ssControl.CryptoKeyAccessRule}

CertificateDomains     : {hub01, hub01.msexchangeguru.com }

HasPrivateKey     : True

IsSelfSigned     : True

Issuer         : CN= hub01

NotAfter         : 6/22/2016 3:23:25 PM

NotBefore         : 6/22/2011 3:23:25 PM

PublicKeySize     : 2048

RootCAType     : None

SerialNumber     : 54852328E21942B34F3745DA0859BB34

Services         : SMTP

Status         : Valid

Subject         : CN= hub01

Thumbprint     : 3A25CDB554EF6DDF81D32C2D54873DSF7FE54F71

AccessRules     : {System.Security.AccessControl.CryptoKeyAccessRule, System

.Security.AccessControl.CryptoKeyAccessRule, System.Securi

ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce

ssControl.CryptoKeyAccessRule}

CertificateDomains     : {hub01, hub01.msexchangeguru.com }

HasPrivateKey     : True

IsSelfSigned     : True

Issuer         : CN= hub01

NotAfter         : 8/20/2010 1:31:23 PM

NotBefore         : 8/20/2009 1:31:23 PM

PublicKeySize     : 2048

RootCAType     : Unknown

SerialNumber     : 2A7D56E59E654E3E48E15BDDDAE5BD43

Services         : SMTP

Status         : Invalid

Subject         : CN= hub01

Thumbprint     : A4530629717651BE6C4443FAC376F23412184CF3

4. Now type:

[PS] C:\Windows\System32>Enable-ExchangeCertificate -Thumbprint 3A25CDB554EF6DDF81D32C2D54873DSF7FE54F71 -Services SMTP

Remember that this THUMBPRINT is the one for the new Certificate which we just created and we are enabling it for SMTP

5. Remove the old certificate

[PS] C:\Windows\System32>Remove-ExchangeCertificate -Thumbprint A4530629717651BE6C4443FAC376F23412184CF3

Just confirm Yes when prompted.

If you got the error:

Remove-ExchangeCertificate : The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate.

Parameter name: Thumbprint

At line:1 char:27

+ Remove-ExchangeCertificate <<<< -Thumbprint A4530629717651BE6C4443FAC376F23412184CF3

This is caused because you haven’t followed step4 properly and enabled the renewed certificate. So, exchange is still looking at the old one.

Just follow step 4 again and try to remove the certificate.

Ratish Nair
MVP Exchange
Team @MSExchangeGuru

Keywords: Renew Exchange certificate, event id 12014, renew exchange 2007 hub transport certificate

5 Responses to “Event ID 12014 – Microsoft Exchange could not find a certificate”

  1. Tim Says:

    Thank you very much Ratish. You really helped me with this issue.

  2. Javidoo2011 Says:

    Hi, I.m getting this error on my second hub transport which is enqueuing mails, client was complaining obviously and I had to sht it down but now this weekend I need to fix it, I will try to do it following this steeps, any other suggestion??

  3. bluey Says:

    Hi, my situation is slightly differant.
    I have had to setup a recive connector for our 3rd party database support to receive email from our internal sql server with their “domainname.ourinternaldomain.org.uk” with TLS & Anonymous permissions, the connector works fine but i’m getting event id 12014. We have a pukka 3rd party certificate with all the required services enabled. My get-receiveconnector command returns the 2 default connectors plus the one with our providers name, it is this one that doesn’t have a certificate assigned or created for it. Can i just create a self signed cert with those services or will that break the hub transport? Your assistance with this matter will be greatly appreciated.

    cheers

  4. shahzad Says:

    Hay ratish,

    I am having same problem can you please check below the getcertficate command’s result.

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
    .Security.AccessControl.CryptoKeyAccessRule, System.Securi
    ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
    ssControl.CryptoKeyAccessRule}
    CertificateDomains : {hub01, hub01.msexchangeguru.com}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=hub01
    NotAfter : 11/19/2017 2:05:42 PM
    NotBefore : 11/19/2012 2:05:42 PM
    PublicKeySize : 2048
    RootCAType : None
    SerialNumber : 3C58181D00B569A141D881C9545E0C55
    Services : IMAP, POP, SMTP
    Status : Valid
    Subject : CN=BMCEX07J01
    Thumbprint : 7B152EE1A6B307F12F4DF11AFE021F914E0A8BB4

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
    .Security.AccessControl.CryptoKeyAccessRule, System.Securi
    ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
    ssControl.CryptoKeyAccessRule}
    CertificateDomains : {BMCSEX-6812, BMCSEX-6812.bmc.edu.sa}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=BMCSEX-6812
    NotAfter : 11/18/2017 11:46:49 PM
    NotBefore : 11/18/2012 11:46:49 PM
    PublicKeySize : 2048
    RootCAType : None
    SerialNumber : EAF14EB0D5A2BB814D3A78FD44007905
    Services : SMTP
    Status : Valid
    Subject : CN=hub01
    Thumbprint : AE1105EE877C02C6EB380380542D7617F33AC7CC

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
    .Security.AccessControl.CryptoKeyAccessRule, System.Securi
    ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
    ssControl.CryptoKeyAccessRule}
    CertificateDomains : {hub01, hub01.msexchangeguru.com}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=BMCSEX-6812
    NotAfter : 11/18/2017 10:31:29 PM
    NotBefore : 11/18/2012 10:31:29 PM
    PublicKeySize : 2048
    RootCAType : None
    SerialNumber : 36E906EAFEEC4A804B00427EFD26303D
    Services : SMTP
    Status : Valid
    Subject : CN=BMCSEX-6812
    Thumbprint : A9D5EC6F36F28226579201088AA2FF4375A2A03B

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
    .Security.AccessControl.CryptoKeyAccessRule, System.Securi
    ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
    ssControl.CryptoKeyAccessRule}
    CertificateDomains : {hub01, hub01.msexchangeguru.com}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=hub01
    NotAfter : 11/18/2017 5:07:57 PM
    NotBefore : 11/18/2012 5:07:57 PM
    PublicKeySize : 2048
    RootCAType : None
    SerialNumber : F41D9C9D1E2D0EA44368529D003AE9EC
    Services : IIS, SMTP
    Status : Valid
    Subject : CN=BMCSEX-6812
    Thumbprint : E31017A17E0D62DFDD3176B5B966256B4E1FC42C

  5. Rocky Says:

    I’m getting the same error on my Exchange 2013 SP1 mailbox servers. All of my send traffic goes out a particular 2013 CAS server. Will your instructions also work with Exchange 2013 mailbox servers?

Leave a Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.