Microsoft Exchange couldn’t find a certificate that contains the domain name %1 in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector %2 with a FQDN parameter of %1. If the connector’s FQDN is not specified, the computer’s FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Details
Product: Exchange
Event ID: 12014
Source: MSExchangeTransport
Version: 8.0
Symbolic Name: CannotLoadSTARTTLSCertificateFromStore
Message: Microsoft Exchange couldn’t find a certificate that contains the domain name %1 in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector %2 with a FQDN parameter of %1. If the connector’s FQDN is not specified, the computer’s FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
   
Explanation

This Warning event indicates that there is a problem loading a certificate to be used for STARTTLS purposes. Generally, this problem occurs if one or both of the following conditions is true:

  • The fully qualified domain name (FQDN) that is specified in the Warning event has been defined on a Receive connector or Send connector on a Microsoft Exchange Server 2007 transport server, and no certificate is installed on the same computer that contains the FQDN in the Subject or Subject Alternative Name fields.

  • A third-party or custom certificate has been installed on the server and it contains a matching FQDN. However, the certificate is not enabled for the SMTP service.

Transport Layer Security (TLS) functionality requires that a valid certificate is installed in the computer’s personal certificate store.

   
User Action

To resolve this warning, perform the following steps:

  1. Examine the configuration of the certificates installed on the Exchange server and the configuration of all Receive connectors and Send connectors installed on the server. The following commands are used to view the configuration:

    Get-ExchangeCertificate | FL *

    Get-ReceiveConnector | FL name, fqdn, objectClass

    Get-SendConnector | FL name, fqdn, objectClass

    Note   To display the services that are enabled for the installed certificate, you must use the asterisk (*) when you run the FL argument on the Get-ExchangeCertificate cmdlet. The Services values will not display if the * is not specified in the task parameters.

    Run the commands and compare the FQDN that is returned with the Warning event with the FQDN that is defined on each of the connectors and with the CertificateDomains values that are defined on each of the certificates. The CertificateDomains value is a concatenation of the Subject and Subject Alternative Name fields on the certificate.

    The goal is to verify that each connector that is using TLS has a corresponding certificate that includes the connector’s FQDN in the CertificateDomains values of the certificate. Note any connectors that are enabled for TLS but do not have a corresponding certificate where the connector FQDN is in the CertificateDomains values of the certificate.

    Inspect the Services value on each certificate. If you are using a certificate for TLS, it must be enabled for the SMTP service with a Services value of SMTP.

  2. If the FQDN is not listed on the CertificateDomains parameter, you must create a new certificate and specify the FQDN of the connector that is returned in this warning message. You can create the certificate by using the New-ExchangeCertificate cmdlet. Or you may prefer to use a third-party or custom certificate. You can use the New-ExchangeCertificate cmdlet to generate the certificate request. For more information, see Creating a Certificate or Certificate Request for TLS.

  3. If a third-party or custom certificate has been installed on the server and it contains a matching FQDN but the certificate is not enabled for the SMTP service, the certificate must be enabled for the SMTP service. For more information, see Enable-ExchangeCertificate.

Related:

Leave a Reply