locked
Cannot Enable cert for Exchange 2007 RRS feed

  • Question

  • I have imported a new cert for an Exchange 2007 server, when I go to enable I get the following error

    Enable-ExchangeCertificate : The certificate with thumbprint xxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxx was found but is not valid for use with Exchange Server
    (reason: PrivateKeyMissing).
    At line:1 char:27
    + Enable-exchangecertificate <<<<  -services IIS, POP, SMTP -thumbprint  xxxxxxxxxxxxxxxxxxxxxxx
        + CategoryInfo          : NotSpecified: (:) [Enable-ExchangeCertificate],
       CertificateNotValidForExchangeException
        + FullyQualifiedErrorId : CA865C10,Microsoft.Exchange.Management.SystemCon
       figurationTasks.EnableExchangeCertificate

    when going in the certificate store I can see both certificates the old one and the new one. I simply downloaded the new one after I renewed and enabled it on the server. Do I need to do a new csr? My old one doesn't expire until Feb 28th so I still have some time.

    Thank You


    John

    Saturday, January 26, 2013 7:24 PM

Answers

  • Looks like the import is failing because the certificate does not have a Private Key. You can generate a private key for the new certificate. To do this:

    1. Open command prompt on your exchange server with elevated rights.

    2. Run the command certutil -repairstore my "Serial Number of the certificate"

    To get the serial number of the certificate, goto the properties of the new certificate and Click on "Details" tab. You will have the serial number. Please note that the serial number should be enclosed within the quotes.

    The above command would generate the private key. If this doesn't help, you will have to contact your Certificate Authority (if using a 3rd party) and have them send a certificate along with the private key.

    -PSS

    Saturday, January 26, 2013 11:53 PM

All replies

  • Looks like the import is failing because the certificate does not have a Private Key. You can generate a private key for the new certificate. To do this:

    1. Open command prompt on your exchange server with elevated rights.

    2. Run the command certutil -repairstore my "Serial Number of the certificate"

    To get the serial number of the certificate, goto the properties of the new certificate and Click on "Details" tab. You will have the serial number. Please note that the serial number should be enclosed within the quotes.

    The above command would generate the private key. If this doesn't help, you will have to contact your Certificate Authority (if using a 3rd party) and have them send a certificate along with the private key.

    -PSS

    Saturday, January 26, 2013 11:53 PM
  • On Sat, 26 Jan 2013 19:24:36 +0000, Mailman50 wrote:
     
    >I have imported a new cert for an Exchange 2007 server, when I go to enable I get the following error
    >
    >Enable-ExchangeCertificate : The certificate with thumbprint xxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxx was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing). At line:1 char:27 +
     
    This pretty much says it all: The certificate you imported doesn't
    have a private key.
     
    Without a private key the certificate cannot be used to encrypt data.
     
    >Enable-exchangecertificate <<<< -services IIS, POP, SMTP -thumbprint xxxxxxxxxxxxxxxxxxxxxxx + CategoryInfo : NotSpecified: (:) [Enable-ExchangeCertificate], CertificateNotValidForExchangeException + FullyQualifiedErrorId : CA865C10,Microsoft.Exchange.Management.SystemCon figurationTasks.EnableExchangeCertificate
    >
    >when going in the certificate store I can see both certificates the old one and the new one. I simply downloaded the new one after I renewed and enabled it on the server. Do I need to do a new csr? My old one doesn't expire until Feb 28th so I still have some time.
     
    If you exported that certificate from some other machine you didn't
    request the private to be exported.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Sunday, January 27, 2013 1:28 AM
  • Thank you, this is what I was looking for, this did the trick.

    John

    Monday, January 28, 2013 8:38 PM
  • I did not bring it in from any other machine, I downloaded it rom my certificate issuer after I renewed the old one.

    John

    Monday, January 28, 2013 8:39 PM