StartTLS Error Event ID 12014

Exchange 2007

Currently getting an error with StartTLS SMTP. Unable to locate a valid certificate. Here is my Get-ExchangeCertificate output. It indicates my certs are invalid. there are also two on here that are expired.

AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains   : {www.domain.com, domain.com, exch.domain.net, autodiscover.domain.com, webmail.domain.com, mail.domain.com, autodiscover.domain.net}
CertificateRequest   :
IisServices          : {IIS://exch/W3SVC/1}
IsSelfSigned         : False
KeyIdentifier        : xxxxxxxxxxxxxxxxxxxxxxxx
RootCAType           : Unknown
Services             : IMAP, POP, IIS, SMTP
Status               : Invalid
PrivateKeyExportable : True
Archived             : False
Extensions           : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, Syste
                       m.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
FriendlyName         : Microsoft Exchange
IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter             : 3/4/2016 11:43:05 AM
NotBefore            : 2/26/2015 3:14:40 PM
HasPrivateKey        : True
PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
RawData              : {48, 130, 5, 166, 48, 130, 4, 142, 160, 3, 2, 1, 2, 2, 8, 70...}
SerialNumber         : XXXXXXXXXXXXXXXXXXXXXXX
SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm   : System.Security.Cryptography.Oid
Thumbprint           : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version              : 3
Handle               : 509608784
Issuer               : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
Subject              : CN=www.domain.com, OU=Domain Control Validated

AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains   : {www.domain.com}
CertificateRequest   : XXXXXXXXXXX
IisServices          : {}
IsSelfSigned         : True
KeyIdentifier        : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RootCAType           : Unknown
Services             : None
Status               : Invalid
PrivateKeyExportable : True
Archived             : False
Extensions           : {}
FriendlyName         : Microsoft Exchange
IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter             : 2/26/2016 8:53:48 PM
NotBefore            : 2/26/2015 2:53:48 PM
HasPrivateKey        : True
PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
RawData              : {48, 130, 2, 81, 48, 130, 2, 62, 160, 3, 2, 1, 2, 2, 16, 134...}
SerialNumber         : XXXXXXXXXXXXXXXXXXXXXXXXXX
SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm   : System.Security.Cryptography.Oid
Thumbprint           : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version              : 3
Handle               : 509601504
Issuer               : CN=www.domain.com, O=Company Intl., S=California, L=Irvine, C=US
Subject              : CN=www.domain.com, O=Company Intl., S=California, L=Irvine, C=US

AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains   : {mail.domain.com}
CertificateRequest   : XXXXXXXXXXXXXXXXXXX
IisServices          : {}
IsSelfSigned         : True
KeyIdentifier        : XXXXXXXXXXXXXXXXXXXXXX
RootCAType           : Unknown
Services             : None
Status               : Invalid
PrivateKeyExportable : True
Archived             : False
Extensions           : {}
FriendlyName         : Microsoft Exchange
IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter             : 2/26/2016 8:49:38 PM
NotBefore            : 2/26/2015 2:49:38 PM
HasPrivateKey        : True
PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
RawData              : {48, 130, 2, 83, 48, 130, 2, 64, 160, 3, 2, 1, 2, 2, 16, 181...}
SerialNumber         : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm   : System.Security.Cryptography.Oid
Thumbprint           : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version              : 3
Handle               : 509602800
Issuer               : CN=mail.domain.com, O=Company Intl., S=California, L=Irvine, C=US
Subject              : CN=mail.domain.com, O=Company Intl., S=California, L=Irvine, C=US

AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains   : {www.domain.com}
CertificateRequest   : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
IisServices          : {}
IsSelfSigned         : True
KeyIdentifier        : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RootCAType           : Unknown
Services             : None
Status               : Invalid
PrivateKeyExportable : False
Archived             : False
Extensions           : {}
FriendlyName         : Microsoft Exchange
IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter             : 2/24/2012 7:57:09 PM
NotBefore            : 2/24/2011 1:57:09 PM
HasPrivateKey        : True
PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
RawData              : {48, 130, 2, 81, 48, 130, 2, 62, 160, 3, 2, 1, 2, 2, 16, 38...}
SerialNumber         : XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm   : System.Security.Cryptography.Oid
Thumbprint           : XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version              : 3
Handle               : 509601104
Issuer               : CN=www.domain.com, O=Company International, S=CA, L=Irvine, C=US
Subject              : CN=www.domain.com, O=Company International, S=CA, L=Irvine, C=US

AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains   : {www.domain.com}
CertificateRequest   : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
IisServices          : {}
IsSelfSigned         : True
KeyIdentifier        : XXXXXXXXXXXXXXXXXXXXXXXXXXXX
RootCAType           : Unknown
Services             : None
Status               : Invalid
PrivateKeyExportable : False
Archived             : False
Extensions           : {}
FriendlyName         : Microsoft Exchange
IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter             : 2/24/2012 7:56:13 PM
NotBefore            : 2/24/2011 1:56:13 PM
HasPrivateKey        : True
PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
RawData              : {48, 130, 2, 81, 48, 130, 2, 62, 160, 3, 2, 1, 2, 2, 16, 178...}
SerialNumber         : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm   : System.Security.Cryptography.Oid
Thumbprint           : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version              : 3
Handle               : 509602944
Issuer               : CN=www.domain.com, O=Company International, S=CA, L=Irvine, C=US
Subject              : CN=www.domain.com, O=Company International, S=CA, L=Irvine, C=US

Any help would be appreciated.

March 10th, 2015 11:22am

Hello

tip:

try to install Go Daddy Root Certificate Authority - G2 to trusted root cert.
and check recive and send connector FQDN name.

Free Windows Admin Tool Kit Click here and download it now
March 10th, 2015 3:21pm
It's already installed but I also don't see an option to check receive and send connectors.
March 10th, 2015 6:28pm

Hello

ecp-->mail flow

but but your certificate error because RootCAType - Unknown and Status - Invalid
check again godady cert

Free Windows Admin Tool Kit Click here and download it now
March 11th, 2015 3:16am
You were partially correct. The issues was that the server was not compatible with SHA2. Exchange was running on Server 2003 R2.
  • Marked as answer by rbtcsta 13 hours 41 minutes ago
March 11th, 2015 1:41pm

Hello

Hotfix?

http://support.microsoft.com/kb/938397

Free Windows Admin Tool Kit Click here and download it now
March 11th, 2015 1:45pm
Used the hotfix and still did not work.
March 11th, 2015 1:58pm
Forgot to mention that.
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2015 2:00pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics