Ask a Question

Advanced Search

Solution ID : SO14291

Last Modified : 05/02/2018

Error: The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing)

Problem

Enable-ExchangeCertificate : The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:27
+ Enable-ExchangeCertificate -Thumbprint XXXXXXXXX -Services "IIS"

Cause

The above error can be a result of multiple reasons.

  • Certificate Signing Request (CSR) was created with IIS and attempted to be installed through the Exchange Management Shell (EMS).
  • Certificate Signing Request (CSR) was created in EMS on another Exchange Server.
  • A damaged certificate, or Windows simply "forgets" where it placed the PrivateKey for the certificate.
     

Solution

To resolve this issue during SSL certificate installation in Exchange 2007 server. Perform the following suggested methods.
 

Method 1: Repair Damaged Certificate (Windows Server 2003/2008)

  1. Open MMC as described in SO9999 and add the Certificate Snap-In for the Local Computer account.
     
  2. Double-Click on the recently imported certificate.
    Note: In Windows Server 2008 it will be the certificate missing the golden key beside it.
     
  3. Select the Details tab.
     
  4. Click on the Serial Number field and copy that string.
    Note: You may use CTRL+C, but not right-click and copy.
     
  5. Open up a command prompt session. (cmd.exe aka DOS Prompt).
     
  6. Type following command:
    certutil -repairstore my "SerialNumber"
    Note:  SerialNumber is that which was copied down in step 4.
     
  7. After running the above command, go back to the MMC and Right-Click Certificates and select Refresh (or hit F5 in the MMC).
     
  8. Double-Click on the problem certificate. At the bottom of this window (General tab) it should state: "You have a private key that corresponds to this certificate."
    Note: In Windows Server 2008 there will be a golden key to the left of the certificate, so there is no need to double-click the certificate.
     
  9. Now that the Private Key is attached to the certificate, please proceed to enable Exchange Services described in SO14290.


Method 2: Remove and Re-Install Certificate (Windows Server 2003/2008)

  1. Verify the certificate doesn't have it's private key.
    In the Microsoft Management Console (MMC), described in SO9999. Double-click the recently imported certificate.
    Note: In Windows Server 2008 it will be the certificate missing the golden key beside it.
     
  2. Right-Click on the certificate and click Delete.
     
  3. Re-install the SSL certificate as described in SO10425.