Microsoft Exchange could not load the certificate

Article
2017-10-22

Question

_{Sunday, October 22, 2017 10:42 PM}

I am getting events 12023 from MSExchangeTransportDelivery as below;

Microsoft Exchange could not load the certificate with thumbprint of 5DDFEAA44EAD29E676B6AB06511BB7E7B9A09585 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate 5DDFEAA44EAD29E676B6AB06511BB7E7B9A09585 -Services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, the certificate with thumbprint 5F7C7934C90FFED5B8420EE73A55D4EF765B6790 is being used.

However certificate 5DDFEAA44EAD29E676B6AB06511BB7E7B9A09585 does not seem to exist;

[PS] C:\Windows\system32>Get-ExchangeCertificate

Thumbprint                                Services   Subject
                                   
3988F989D886BFF940FDA96D8989E38611D0504F  IP.W...    CN=exchange.mydomain.com, OU=Domain Control Validated
CD102FF3DD5C5CBB80EBCAC347B723F720E34F43  ....S..    CN=Microsoft Exchange Server Auth Certificate
5F7C7934C90FFED5B8420EE73A55D4EF765B6790  ....S..    CN=MYMAILSERVER
97DB9CFF33DB1D4A795FE67FB5CAA252BADB60B0  .......    CN=WMSvc-SHA2-MYMAILSERVER
EEEFB7E654305EABCA39E527CD764D7EE594ACA4  ...WS..    CN=MYMAILSERVER

How can I fix this please?

Thanks

Regards

All replies (3)

_{Monday, October 23, 2017 7:14 AM ✅Answered | 1 vote}

Hi Yahya,

Based on my research, this error event indicates that the certificate that has been configured for this server no longer exists in the computer personal certificate store, or if it does exist, it is not enabled for SMTP.

Therefore, to resolve this error:

We should search the computer's personal certificate store to determine whether the certificate exists.

1. If the certificate exists, we should enable the certificate for SMTP by running the Enable-ExchangeCertificate cmdlet.

Enable-ExchangeCertificate -Thumbprint <String> -Services SMTP

2. If the certificate does not exist, we should use the New-ExchangeCertificate cmdlet to create a new internal transport certificate on the computer that returned this error event.

New-ExchangeCertificate

For more details, refer to Exchange couldn't find a certificate in the personal store on the local computer. It is also applied to Exchange 2016.

Best Regards,

Manu Meng
TechNet Community Support

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].

_{Monday, October 23, 2017 12:13 AM}

I am getting events 12023 from MSExchangeTransportDelivery as below;

Microsoft Exchange could not load the certificate with thumbprint of 5DDFEAA44EAD29E676B6AB06511BB7E7B9A09585 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate 5DDFEAA44EAD29E676B6AB06511BB7E7B9A09585 -Services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, the certificate with thumbprint 5F7C7934C90FFED5B8420EE73A55D4EF765B6790 is being used.

However certificate 5DDFEAA44EAD29E676B6AB06511BB7E7B9A09585 does not seem to exist;

[PS] C:\Windows\system32>Get-ExchangeCertificate

Thumbprint                                Services   Subject
                                   
3988F989D886BFF940FDA96D8989E38611D0504F  IP.W...    CN=exchange.mydomain.com, OU=Domain Control Validated
CD102FF3DD5C5CBB80EBCAC347B723F720E34F43  ....S..    CN=Microsoft Exchange Server Auth Certificate
5F7C7934C90FFED5B8420EE73A55D4EF765B6790  ....S..    CN=MYMAILSERVER
97DB9CFF33DB1D4A795FE67FB5CAA252BADB60B0  .......    CN=WMSvc-SHA2-MYMAILSERVER
EEEFB7E654305EABCA39E527CD764D7EE594ACA4  ...WS..    CN=MYMAILSERVER

How can I fix this please?

Thanks

Regards

Looks like that certificate was not imported.

Have you tried to run import-exchangecertificate?

_{Wednesday, February 14, 2018 9:14 AM}

Hi Together,

I have the same warnings on the my Exchange 2016 Servers, although all services have a corresponding valid certificate!? It may be that, I have removed expired certificates from cert store, but the new valid ones are properly included.

The question is which service used this orphaned certificate?

Neither IIS or CMDLETS can be checked this point.

Here would be helpful to find out on which point/services the certificate is used?

THX

Manfred Schüler

Share via

Microsoft Exchange could not load the certificate

Question

All replies (3)

Additional resources