Although the creation/import of Exchange SSL certificates are straightforward (check out one of my other blogposts on trycatch.be/blogs/pdtit if you should need assistance on this) , you sometimes receive an error within the Exchange console or Powershell when manipulating SSL certificates:
Error: The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing)
Enable-ExchangeCertificate : The certificate with thumbprint “0000000000” was found but is not valid for use with Exchange Server
At line:1 char:29
Enable-ExchangeCertificate -Thumbprint 00000000000 -Services "IIS"
Cause: the real cause behind this error is not always that easy to determine; the most common reasons could be classified as “corrupt”, “initial CSR request was created on another Exchange Server” or “CSR was not created by Exchange Server at all”.
To resolve this issue during SSL certificate installation in Exchange 2007 or 2010 server, use the following procedure:
Method 1: Repair Damaged Certificate (Windows Server 2003/2008)
1. Start / Run / MMC / add the Certificate Snap-In for the Local Computer account.
2. Double-Click on the recently imported certificate.
3. Select the Details tab.
4. Click on the Serial Number field and copy that string.
Note: You may use CTRL+C, but not right-click and copy.
5. Open up a command prompt session. (cmd.exe aka DOS Prompt).
6. Type: certutil -repairstore my "SerialNumber" (which was copied in the previous step.).
7. After running the above command, go back to the MMC and Right-Click Certificates and select Refresh (or hit F5 in the MMC).
8. Double-Click on the problem certificate. At the bottom of this window (General tab) it should state: "You have a private key that corresponds to this certificate."
It should know be possible to enable the Exchange certificate for IIS or other services (Enable-ExchangeCertificate…)
jun 13 2011, 08:49
Peter De Tender