Event ID 12014 – Microsoft Exchange could not find a certificate
This article outlines the steps involved to renew and enable and new certificate and remove old one from Exchange Management Shell.
This is event id logged:
Log Name : Application
Source : MSExchangeTransport
Date : 6/22/2011 3:06:29 PM
Event ID : 12014
Task Category : TransportService
Level : Error
Keywords : Classic
User : N/A
Computer : hub01.msexchangeguru.com
Description:
Microsoft Exchange could not find a certificate that contains the domain name hub01.msexchangeguru.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default HUB01 with a FQDN parameter of hub01.msexchangeguru.com. If the connector’s FQDN is not specified, the computer’s FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
1. Run this cmdlet in Exchange management shell on the HUB Server and copy the THUMBPRINT to a notepad
[PS] C:\Windows\System32>Get-ExchangeCertificate |FL
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {hub01, hub01.msexchangeguru.com }
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN= hub01
NotAfter : 8/20/2010 1:31:23 PM –> This has expired
NotBefore : 8/20/2009 1:31:23 PM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 2A7D56E59E654E3E48E15BDDDAE5BD43
Services : SMTP
Status : Invalid
Subject : CN=nbe-vexch-hub1
Thumbprint : A4530629717651BE6C4443FAC376F23412184CF3
2. Run this cmdlet:
Get-ExchangeCertificate -Thumbprint “A4530629717651BE6C4443FAC376F23412184CF3” | New-ExchangeCertificate
Click Yes when prompted
3. Now type:
[PS] C:\Windows\System32>Get-ExchangeCertificate |FL
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {hub01, hub01.msexchangeguru.com }
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN= hub01
NotAfter : 6/22/2016 3:23:25 PM
NotBefore : 6/22/2011 3:23:25 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 54852328E21942B34F3745DA0859BB34
Services : SMTP
Status : Valid
Subject : CN= hub01
Thumbprint : 3A25CDB554EF6DDF81D32C2D54873DSF7FE54F71
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {hub01, hub01.msexchangeguru.com }
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN= hub01
NotAfter : 8/20/2010 1:31:23 PM
NotBefore : 8/20/2009 1:31:23 PM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 2A7D56E59E654E3E48E15BDDDAE5BD43
Services : SMTP
Status : Invalid
Subject : CN= hub01
Thumbprint : A4530629717651BE6C4443FAC376F23412184CF3
4. Now type:
[PS] C:\Windows\System32>Enable-ExchangeCertificate -Thumbprint 3A25CDB554EF6DDF81D32C2D54873DSF7FE54F71 -Services SMTP
Remember that this THUMBPRINT is the one for the new Certificate which we just created and we are enabling it for SMTP
5. Remove the old certificate
[PS] C:\Windows\System32>Remove-ExchangeCertificate -Thumbprint A4530629717651BE6C4443FAC376F23412184CF3
Just confirm Yes when prompted.
If you got the error:
Remove-ExchangeCertificate : The internal transport certificate cannot be removed because that would cause the Microsoft Exchange Transport service to stop. To replace the internal transport certificate, create a new certificate. The new certificate will automatically become the internal transport certificate. You can then remove the existing certificate.
Parameter name: Thumbprint
At line:1 char:27
+ Remove-ExchangeCertificate <<<< -Thumbprint A4530629717651BE6C4443FAC376F23412184CF3
This is caused because you haven’t followed step4 properly and enabled the renewed certificate. So, exchange is still looking at the old one.
Just follow step 4 again and try to remove the certificate.
Ratish Nair
MVP Exchange
Team @MSExchangeGuru
Keywords: Renew Exchange certificate, event id 12014, renew exchange 2007 hub transport certificate
August 22nd, 2011 at 11:03 pm
Thank you very much Ratish. You really helped me with this issue.
November 10th, 2011 at 1:59 pm
Hi, I.m getting this error on my second hub transport which is enqueuing mails, client was complaining obviously and I had to sht it down but now this weekend I need to fix it, I will try to do it following this steeps, any other suggestion??
November 25th, 2011 at 7:37 am
Hi, my situation is slightly differant.
I have had to setup a recive connector for our 3rd party database support to receive email from our internal sql server with their “domainname.ourinternaldomain.org.uk” with TLS & Anonymous permissions, the connector works fine but i’m getting event id 12014. We have a pukka 3rd party certificate with all the required services enabled. My get-receiveconnector command returns the 2 default connectors plus the one with our providers name, it is this one that doesn’t have a certificate assigned or created for it. Can i just create a self signed cert with those services or will that break the hub transport? Your assistance with this matter will be greatly appreciated.
cheers
June 24th, 2013 at 1:26 am
Hay ratish,
I am having same problem can you please check below the getcertficate command’s result.
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {hub01, hub01.msexchangeguru.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=hub01
NotAfter : 11/19/2017 2:05:42 PM
NotBefore : 11/19/2012 2:05:42 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 3C58181D00B569A141D881C9545E0C55
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=BMCEX07J01
Thumbprint : 7B152EE1A6B307F12F4DF11AFE021F914E0A8BB4
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {BMCSEX-6812, BMCSEX-6812.bmc.edu.sa}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=BMCSEX-6812
NotAfter : 11/18/2017 11:46:49 PM
NotBefore : 11/18/2012 11:46:49 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : EAF14EB0D5A2BB814D3A78FD44007905
Services : SMTP
Status : Valid
Subject : CN=hub01
Thumbprint : AE1105EE877C02C6EB380380542D7617F33AC7CC
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {hub01, hub01.msexchangeguru.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=BMCSEX-6812
NotAfter : 11/18/2017 10:31:29 PM
NotBefore : 11/18/2012 10:31:29 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 36E906EAFEEC4A804B00427EFD26303D
Services : SMTP
Status : Valid
Subject : CN=BMCSEX-6812
Thumbprint : A9D5EC6F36F28226579201088AA2FF4375A2A03B
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
ssControl.CryptoKeyAccessRule}
CertificateDomains : {hub01, hub01.msexchangeguru.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=hub01
NotAfter : 11/18/2017 5:07:57 PM
NotBefore : 11/18/2012 5:07:57 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : F41D9C9D1E2D0EA44368529D003AE9EC
Services : IIS, SMTP
Status : Valid
Subject : CN=BMCSEX-6812
Thumbprint : E31017A17E0D62DFDD3176B5B966256B4E1FC42C
September 15th, 2014 at 3:06 pm
I’m getting the same error on my Exchange 2013 SP1 mailbox servers. All of my send traffic goes out a particular 2013 CAS server. Will your instructions also work with Exchange 2013 mailbox servers?
June 28th, 2016 at 12:16 pm
Thanks for the help. Worked perfectly.
December 27th, 2016 at 3:00 am
[…] https://msexchangeguru.com/2011/06/22/event12014/ […]