An Error Occurred While Loading A Certificate for STARTTLS (code 2414)
A backup plan terminates with the following warning: An error occurred while loading a certificate for STARTTLS
This warning is an event that indicates that a problem occurred while loading a certificate to be used for STARTTLS. Generally, this problem occurs if one or both of the following conditions are true:
- The fully qualified domain name (FQDN) that is specified in the Warning event has been defined on a Receive connector or Send connector on a Microsoft Exchange Server 2007 transport server. Also, no certificate is installed on the same computer that contains the FQDN in the Subject or Subject Alternative Name fields
- A third-party or custom certificate has been installed on the server. And this certificate contains a matching FQDN. However, the certificate is not enabled for the Simple Mail Transfer Protocol (SMTP) service
Note that in some cases several VSS errors can occur at the same time, and the recommendations described below may not be helpful
Follow Microsoft best practices to work around the case. Refer to the How to Troubleshoot STARTTLS Certificate Error 12014 chapter at docs.microsoft.com
Note that the procedures above can be changed by Microsoft.
To perform this procedure, the account you use must be delegated the following:
- Exchange View-Only Administrator role to run the Get-ExchangeCertificate cmdlet
- Exchange Server Administrator role and local Administrators group for the target server to run the New-ExchangeCertificate cmdlet or the Enable-ExchangeCertificate cmdlet
To run any of these cmdlets on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.
- Examine the configuration of the certificates that are installed on the Exchange server and the configuration of all Receive connectors and Send connectors that are installed on the server. Use the following commands to view the configuration:
Get-ExchangeCertificate | FL * Get-ReceiveConnector | FL name, fqdn, objectClass Get-SendConnector | FL name, fqdn, objectClass
To display the services that are enabled for the installed certificate, you must use the asterisk (*) when you run the FL argument on the Get-ExchangeCertificate cmdlet. The services values will not display if the * is not specified in the task parameters
Run the commands and compare the FQDN that is returned with the Warning event with the FQDN that is defined on each connector and with the CertificateDomains values that are defined on each certificate. The CertificateDomains value is a concatenation of the Subject and Subject Alternative Name fields on the certificate.
The goal is to verify that each connector that is using TLS has a corresponding certificate that includes the FQDN of the connector in the CertificateDomains values of the certificate. Note any connectors that are enabled for TLS but do not have a corresponding certificate where the FQDN of the connector is in the CertificateDomains values of the certificate.
Inspect the Services value on each certificate. If you are using a certificate for TLS, it must be enabled for the SMTP service that uses a Services value of SMTP.
- If the FQDN is not listed on the CertificateDomains parameter, you must create a new certificate and specify the FQDN of the connector that is returned in this warning message. You can create the certificate by using the New-ExchangeCertificate cmdlet. Or you may prefer to use a third-party or custom certificate. You can use the New-ExchangeCertificate cmdlet to generate the certificate request. For more information, see Creating a Certificate or Certificate Request for TLS.
- If a third-party or custom certificate has been installed on the server and the certificate contains a matching FQDN but is not enabled for the SMTP service, you must enable the certificate for the SMTP service. For more information, see Enable-ExchangeCertificate.