TryCatch.be
but it worked in the staging environment...

Private Key Missing from Exchange SSL certificate

PDT IT Services Blog Posts

Although the creation/import of Exchange SSL certificates are straightforward (check out one of my other blogposts on trycatch.be/blogs/pdtit if you should need assistance on this) , you sometimes receive an error within the Exchange console or Powershell when manipulating SSL certificates:

Error: The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing)

Enable-ExchangeCertificate : The certificate with thumbprint “0000000000” was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:29
Enable-ExchangeCertificate -Thumbprint 00000000000 -Services "IIS"

Cause: the real cause behind this error is not always that easy to determine; the most common reasons could be classified as “corrupt”, “initial CSR request was created on another Exchange Server” or “CSR was not created by Exchange Server at all”.

Solution:

To resolve this issue during SSL certificate installation in Exchange 2007 or 2010 server, use the following procedure:
Method 1: Repair Damaged Certificate (Windows Server 2003/2008)
1. Start / Run / MMC / add the Certificate Snap-In for the Local Computer account.
2. Double-Click on the recently imported certificate.
3. Select the Details tab.
4. Click on the Serial Number field and copy that string.
Note: You may use CTRL+C, but not right-click and copy.
5. Open up a command prompt session. (cmd.exe aka DOS Prompt).
6. Type: certutil -repairstore my "SerialNumber" (which was copied in the previous step.).
7. After running the above command, go back to the MMC and Right-Click Certificates and select Refresh (or hit F5 in the MMC).
8. Double-Click on the problem certificate. At the bottom of this window (General tab) it should state: "You have a private key that corresponds to this certificate."

It should know be possible to enable the Exchange certificate for IIS or other services (Enable-ExchangeCertificate…)

Cheers, Peter


Posted jun 13 2011, 08:49 by Peter De Tender
All content (c) its respective blog author.
Powered by Community Server (Commercial Edition), by Telligent Systems