Solved

Enable-Exchange certificate fails with PrivateKeyMissing error

Posted on 2008-10-17
6
18,542 Views
2 Endorsements
Last Modified: 2011-12-30
Hello all-
I received my certificates from GoDaddy this morning. Both certificates installed without issue on my Windows 2008/Exchange 2007 Client Access Server.
When I issued the "enable-exchange-certificate -thumbprint xxxxxxxxxxxxxxxxxxxxxxxx -services "IIS,IMAP,POP,SMTP" command it fails with the following:
Enable-ExchangeCertificate : The certificate with thumbprint xxxxxxxxxxxxx was found but is not for use with Exchange Server (reason: PrivateKeyMissing).
My research consistently states I need to run the certutil -repairstore my "<thumbprint>" command.
When I do, the "Insert Smart Card" window pops up. As I am not using Smart Cards, all I can do is hit "Cancel". Once I do that, the following error occurs:
================ Certificate 0 ================
Serial Number: e06648
Issuer: SERIALNUMBER=111111111, CN=Go Daddy Secure Certification Authority, OU=ht
tp://certificates.godaddy.com/repository, O=GoDaddy.com, Inc., L=Scottsdale, S=A
rizona, C=US
NotBefore: 10/17/2008 10:13 AM
NotAfter: 10/17/2009 10:13 AM
Subject: OU=Domain Control Validated, CN=abc.edu, O=test.abc.edu
Non-root Certificate
Cert Hash(sha1): xxxxxxxxxxxxxxxxxxxxxx
No key provider information
Cannot find the certificate and private key for decryption.
CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
CertUtil: Access denied.
I'm stumped...any and all help is appreciated. I'm not particularly strong in certificates.
2
Comment
Question by:my51chevy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 9

Accepted Solution

by:
abdulzis earned 350 total points
ID: 22747678
Most likely you will need to get a new certificate from GoDaddy or there might be a problem with folder level permissions on the folder where the privatekey is stored.

Can you create a test self-signed certificate using the shell and assign it to IIS? Does it throw the same error? If not, request and get a new certificate from GoDaddy.
0
 
LVL 23

Assisted Solution

by:Justin Durrant
Justin Durrant earned 150 total points
ID: 22748018
0
 

Author Comment

by:my51chevy
ID: 22749256
Thanks Addulzis, jjdurrant..
Been offline since last night.
I have a feeling that I'll have to get a new cert..but in the meantime I'll try what jjdurrant suggests..can't hurt.
I should be able to address remotely tomorrow. Stay tuned.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Closing Comment

by:my51chevy
ID: 31507199
I appreciated jjdurrant's input so i gave him part of the points.
0
 

Expert Comment

by:tumppi
ID: 35276902
https://search.thawte.com/support/ssl-digital-certificates/index?page=answerlink&url=index%3Fpage%3Dcontent%26id%3DSO14287%26actp%3Dsearch%26viewlocale%3Den_US&answerid=16777216&searchid=1301566898439

Error: The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing)

Problem


Enable-ExchangeCertificate : The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server
 (reason: PrivateKeyMissing).
 At line:1 char:27
 + Enable-ExchangeCertificate -Thumbprint XXXXXXXXX -Services "IIS"


Cause


The above error can be a result of multiple reasons.
 •Certificate Signing Request (CSR) was created with IIS and attempted to be installed through the Exchange Management Shell (EMS).
•Certificate Signing Request (CSR) was created in EMS on another Exchange Server.
•A damaged certificate, or Windows simply "forgets" where it placed the PrivateKey for the certificate.
 
 

Resolution


To resolve this issue during SSL certificate installation in Exchange 2007 server. Perform the following suggested methods.

Method 1: Repair Damaged Certificate (Windows Server 2003/2008)
 
1. Open MMC as described in SO1849 and add the Certificate Snap-In for the Local Computer account.
 
2. Double-Click on the recently imported certificate.

Note: In Windows Server 2008 it will be the certificate missing the golden key beside it.
 
3. Select the Details tab.
 
4. Click on the Serial Number field and copy that string.
 
Note: You may use CTRL+C, but not right-click and copy.
 
5. Open up a command prompt session. (cmd.exe aka DOS Prompt).
 
6. Type: certutil -repairstore my "SerialNumber" (SerialNumber is that which was copied down in step 4.).

7. After running the above command, go back to the MMC and Right-Click Certificates and select Refresh (or hit F5 in the MMC).
 
8. Double-Click on the problem certificate. At the bottom of this window (General tab) it should state: "You have a private key that corresponds to this certificate."
 
Note: In Windows Server 2008 there will be a golden key to the left of the certificate, so there is no need to double-click the certificate.
 
9. Now that the Private Key is attached to the certificate, please proceed to enable Exchange Services described in SO14288.
 

Method 2: Remove and Re-Install Certificate (Windows Server 2003/2008)
 
1. Verify the certificate doesn't have it's private key.
 
In the Microsoft Management Console (MMC), described in SO1849. Double-click the recently imported certificate.

Note: In Windows Server 2008 it will be the certificate missing the golden key beside it.
 
2. Right-Click on the certificate and click Delete.
 
3. Re-install the SSL certificate as described in SO6287.

Method 1 worked for me just fine.
1
 
LVL 11

Expert Comment

by:louisreeves
ID: 36271119
Very good work here. I used this and saved a half a day work waiting for godady !
0

Featured Post

Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question