× SSL247 joins forces with Sectigo CA - Find Out More...
Our accreditations and awards:
Cookies
0 items Total $0

Knowledge Base

  

Problem

This message appears during SSL certificate installation in Exchange 2007 server. 

Enable-ExchangeCertificate : The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:27
+ Enable-ExchangeCertificate -Thumbprint XXXXXXXXX -Services "IIS"


Cause

This error occurs when one of the following statements is true:

  • You create a Certificate Signing Request (CSR) with IIS and you attempt to install it through the Exchange Management Shell (EMS).

  • The CSR is created with EMS on another Exchange Server.

  • The certificate is damaged, or Windows simply "forgets" where it placed the Private Key for the certificate.


Resolution

Perform the following methods to solve the problem: 


Method 1:
Repair Damaged Certificate (Windows Server 2003/2008)

1. Open MMC then add the Certificate Snap-In for the Local Computer account.

2. Double-Click on the recently imported certificate. 
Note: The certificate missed the golden key beside it in Windows Server 2008.

3. Choose the Details tab.

4. Click on the Serial Number field, then copy that string by CTRL+C. DO NOT Right click and copy.

5. Open up a command prompt session. (cmd.exe as DOS Prompt).

6. Type: certutil -repairstore my "SerialNumber" (SerialNumber is that which was copied down in step 4.). 

7. After running the above command, you must go back to the MMC, Right-Click Certificates then choose Refresh (or hit F5 in the MMC).

8. Double-Click on the problem certificate. At the bottom of this window (General tab) you should see: "You have a private key that corresponds to this certificate."

Note:
 In Windows Server 2008, there is no need to double-click the certificate because there is a golden key to the left of the certificate.

9. Now that the Private Key is attached to the certificate, please proceed to enable Exchange Services by using the below command to assign/enable services to any existing certificate on the server that is correctly installed and has a matching private key.

Enable-ExchangeCertificate -Thumbprint [THUMBPRINT] -Services "POP, IMAP, IIS, SMTP" 


You will need to replace [THUMBPRINT] with the certificate thumbprint this can be found by viewing the certificate under the certificate details inside the Microsoft Management Console's Certificate Snap-in for the Local Computer account .


Method 2:
Remove and Re-Install Certificate (Windows Server 2003/2008)

1. Verify the certificate doesn't have its private key.
In the Microsoft Management Console (MMC), double-click on the recently imported certificate. 
Note: The certificate missed the golden key beside it in Windows Server 2008.

2. Right-Click on the certificate, then click Delete.

3. Re-install the SSL certificate.


If the problem persists, a reissued certificate is required. Go to create CSR to create a new CSR and reissue your certificate in your MySSL account.

Was this information Useful?
Comments

Privacy Policy