Replaced Default Cert with SAN on Exchange 2010 - error 12014
I just installed a new SAN Cert on a new installation of Exchange 2010 SP1 RU2. After I installed the Cert I removed the default cert created by exchange during installation. now getting error 12014. What do I do here to tell exchange to always use the san
cert - although the internal FQDN is not listed on that SAN. Or do I have to recreate it and enable SMTP services?
Microsoft Exchange could not find a certificate that contains the domain name exchangeserver.mydomain.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Internet with a FQDN parameter
of exchangeserver.mydomain.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this
certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
Thanks - SJMP
December 30th, 2010 7:04pm
Hi,
To resolve this problem, you can just create a new self-signed certificate which contains the FQDN of your hub transport server and then enable it for SMTP service:
On hub transport server, open EMS, type:
new-exchangecertificate |Enable-ExchangeCertificate -services “SMTP”
·
SMTP sessions between Hub Transport servers: A certificate is used only for encryption of the SMTP session. Authentication is provided by the Kerberos protocol.
·
SMTP sessions between Hub Transport servers and an Edge Transport server: A certificate is used for encryption of the STMP session and for direct trust authentication.
So we must have a certificate contains the FQDN of the receive connectors in your hub transport server.
Note:
Don’t modify the FQDN value on the default Receive connector Default <Server Name> that's automatically created on Hub Transport servers. If you have multiple Hub
Transport servers in your Exchange organization and you change the FQDN value on the Default <Server Name> Receive connector, internal mail flow between Hub Transport servers
fails.
If you would like to use the public certificate for SMTP service, you need to request a new SAN certificate contains the both External and internal URL, then enable it for SMTP
services.
More information, please refer the following KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;555855
Gen Lin
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks
Gen Lin-MSFT A certificate will be used when the following SMTP session happens:
Free Windows Admin Tool Kit Click here and download it now
December 31st, 2010 10:48am
Hi,
Is there any update in this problem?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
January 5th, 2011 11:43am
Gen
the post you marked as answered was the perfect resolution
thanks,
sjmp
Free Windows Admin Tool Kit Click here and download it now
January 5th, 2011 4:03pm
Hi Gen -
I had this EXACT same issue - and this was the fix for me as well.
When entered the new-exchangecertificate
|Enable-ExchangeCertificate -services SMTP command
into the EMS, it asked if I wanted to overwrite the existing certificate. I wasn't completely sure how to answer, so I did a Ctrl-C to stop so I could re-gather my thoughts. But, Exchange created the cert anyway, and assigned the SMTP process to
it, while not affecting my current 3rd-party cert. Now both certs show as having the SMTP service assigned. Strange, but no more 12014 errors! I'll move on to other problems.
May 9th, 2012 4:58pm