Microsoft Exchange could not load the STARTTLS certificate from the local store because it did not match the FQDN from the connector configuration
Topic Last Modified: 2007-11-16
The Microsoft Exchange Server 2007 Management Pack for Operations Manager monitors the Windows Application log on computers that are running Exchange Server 2007 and generates this alert when the event or events specified in the following Details table are logged.
To learn more about this alert, if you are using Microsoft Operations Manager 2005, do one or more of the following:
From the Operator Console, select this alert, and then click the Properties tab. Review the description of the alert that includes the variables specific to your environment.
From the Operator Console, click the Events tab, and then double-click the event in the list for which you want to review the event description. Review the events that have been logged that meet the criteria of this Operations Manager alert.
To learn more about this alert, if you are using System Center Operations Manager 2007, do one or more of the following:
From the Operations Console, double-click this alert, and then click the General tab. Review the description of the alert that includes the variables specific to your environment.
From the Operations Console, double-click this alert, and then click the Alert Context tab. Review the events that have been logged that meet the criteria of this Operations Manager alert.
Details
Product Name |
Exchange |
Product Version |
8.0 (Exchange Server 2007) |
Event ID |
12014 |
Event Source |
MSExchangeTransport |
Alert Type |
Critical Error |
MOM Rule Path |
Microsoft Exchange Server/Exchange 2007/Common Components/Hub Transport and Edge Transport/Transport |
MOM Rule Name |
Microsoft Exchange could not load the STARTTLS certificate from the local store because it did not match the FQDN from the connector configuration. |
Explanation
This Warning event indicates that there is a problem loading a certificate to be used for STARTTLS purposes. Generally, this problem occurs if one or both of the following conditions is true:
The fully qualified domain name (FQDN) that is specified in the Warning event has been defined on a Receive connector or Send connector on a Microsoft Exchange Server 2007 transport server, and no certificate is installed on the same computer that contains the FQDN in the Subject or Subject Alternative Name fields.
A third-party or custom certificate has been installed on the server and it contains a matching FQDN. However, the certificate is not enabled for the SMTP service.
Transport Layer Security (TLS) functionality requires that a valid certificate is installed in the computer's personal certificate store.
User Action
To resolve this warning, you must first determine the cause of the Warning event. The following possible causes exist:
A certificate does not contain the FQDN of a connector on the computer
The certificate is not enabled for the SMTP service.
Both these conditions are true.
Troubleshooting
To troubleshoot this issue, you must first examine the configuration of the certificates installed on the Exchange server and the configuration of all Receive connectors and Send connectors installed on the server. The following commands are used to view the configuration:
Get-ExchangeCertificate | FL *
Get-ReceiveConnector | FL name, fqdn, objectClass
Get-SendConnector | FL name, fqdn, objectClass
Note To display the services that are enabled for the installed certificate, you must use the asterisk (*) when you run the FL argument on the Get-ExchangeCertificate cmdlet. The Services values will not display if the * is not specified in the task parameters.
Run the commands and compare the FQDN that is returned with the Warning event with the FQDN that is defined on each of the connectors and with the CertificateDomains values that are defined on each of the certificates. The CertificateDomains value is a concatenation of the Subject and Subject Alternative Name fields on the certificate.
The goal is to verify that each connector that is using TLS has a corresponding certificate that includes the connector's FQDN in the CertificateDomains values of the certificate. Note any connectors that are enabled for TLS but do not have a corresponding certificate where the connector FQDN is in the CertificateDomains values of the certificate.
Inspect the Services value on each certificate. If you are using a certificate for TLS, it must be enabled for the SMTP service with a Services value of SMTP.
For More Information
To search the Microsoft Knowledge Base articles based on criteria that generated this alert, visit the Search the Support Knowledge Base (KB) Web site.
To review Exchange 2007 event message articles that may not be represented by Exchange 2007 alerts, see the Events and Errors Message Center.
If you are not already doing so, consider running the tools that Microsoft Exchange offers to help administrators analyze and troubleshoot their Exchange environment. These tools can help you make sure that your configuration is in line with Microsoft best practices. They can also help you identify and resolve performance issues, improve mail flow, and better manage disaster recovery scenarios. Go to the Toolbox node of the Exchange Management Console to run these tools now. For more information about these tools, see Toolbox in the Exchange Server 2007 Help.