KB ID 0000292
Problem
Event ID 12016
There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of <domain>. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of <domain> should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task
Cause: One of the server installed certificates that has the “S” attribute (SMTP) has expired, If its the main certificate for the serve then you will need to replace it. However this is common on server that still have a copy of the certificate they self signed and used when exchange was first installed. So you are not using them anyway.
Solution
I’m assuming that the certificates that have expired are not the ones you are using in anger, lets make sure.
1. To see what certificates are being used for what. Launch “Exchange Management Shell” > Issue the following command;
[box] Get-ExchangeCertificate [/box]
2. Above you can see I’ve got three certificates and they all are being used for SMTP, lets make sure they are all in date.
3. Click Start > mmc {enter} > File > Add/Remove Snap-in > Certificates > Add > Select “Computer account” > Next > Accept the default of “Local computer” > Finish > OK > Expand Certificates > Personal > Certificates.
4. Look down the expiration date section and you can see which ones are out of date, compare this list to original one, and you can see which certificates need removing.
5. You can remove the expired certificated from here by right clicking > Delete.
6. OR, you can delete the certificates from within powershell with the following commandlet;
[box] Remove-ExchangeCertificate {thumbnail of certificate} [/box]
7. Then press Y and {Enter} to confirm.
8. Either when you are finished you should be looking more like this.
Note: Without an SMTP certificate with the FQDN of the server you may see Event ID 12014.
Error:
Microsoft Exchange couldn’t find a certificate that contains the domain name <name> in the personal store on the local computer. Therefore it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of <name>. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.
You can simply create a self signed certificate with the FQDN of the server and import it, then set it for SMTP (Note: it WONT overwrite the one you are using). Or click here.
Related Articles, References, Credits, or External Links
NA