Thursday, January 04, 2007 3:24 PM
I am using my own home grown SSL certificate and trying to get exchange 2007 to like it but:
I open the powershell and type
import-exchangecertificate -path c:\temp\server9.cer
It displays the thumprint. I then type:
get-exchangecertificate -thumbprint <thumbprint> and all I get is this:
Get-ExchangeCertificate : The certificate with thumbprint AA33E0D6502444EEA2D63
1FDC37E889C489C8C49 was found but is not valid for usage with Exchange Server (
At line:1 char:24
+ get-exchangecertificate <<<< -thumbprint AA33E0D6502444EEA2D631FDC37E889C489
GRRRRRRR. Any ideas. Can't find it in certmgr.msc. Cant remove it either using remove-exchangecertificate as it gets the same error so I have to delete it from the registry.
Thursday, January 04, 2007 5:08 PM
Found a way round it.
I removed the default certificate from IIS, and then proceeded to add my new certificate from the pfx file.
This successfully went into IIS and then magically appeared when running dir cert://localmachine/my
I then did enable-exchangecertificate -thumbprint xxxxx -services "POP,IMAP,IIS"
Seems to work OK.
Saturday, June 09, 2007 11:03 PMRemove-ExchangeCertificate : The default certificate cannot be removed.If you want to replace the default certificate for the server by replacing it with another certificate with the same server fully qualified domain name (FQDN), you cannot remove the certificate that is being used. You must create the new certificate for the server FQDN first and then remove the old certificate.
Tuesday, August 07, 2007 6:00 PM
This entry has the relevant information:
To make a long story short, this error is caused by running Import-ExchangeCertificate on a different server than the original "New-ExchangeCertificate -generate" request was run on. (New-ExchangeCertificate generates the private key but places it in the local Exchange certificate store, but doesn't pass the private key out with the certificate request. Importing the certificate issued by the CA [which does not have the private key] on any other machine fails as the private key is not in its local store.) This one had me stumped for quite a bit as the Issuing CA clearly was not allowing an export of the private key (in retrospect, because there was none).
Wednesday, May 07, 2008 9:05 PM
Sorry to bump this thread, but I will make something clear.
I had this problem while perfoming the Import and Enable from the REQUESTING machine, not a different machine, so the msexchange.org posting doesn't apply, and I am sure I won't be the only one...
Check out this posting to fix this problem:
I have done a pile of Exchange 2007 installs and this was the first one that failed, so I am not sure what caused the problem, but this does fix it.