Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 451
  • Last Modified:


i am attempting to import a new SSL certificate into exhcange 2007. i have the new key and  while importing i have this message.
Enable-ExchangeCertificate : The certificate with thumbprint (thumbprint)  was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:87
+ Import-ExchangeCertificate -Path C:\mail_clinpath_com.cer | Enable-ExchangeCe
rtificate  <<<< -Services "SMTP, IMAP, POP, IIS"

i am lost on what to do.  any help would be great. thanks
2 Solutions
___Create and obtain a 3rd party Certificate

Exchange 2007 SSL CSR Command Wizard: https://www.digicert.com/easy-csr/exchange2007.htm
      Will need at least 4 names (example):
                (CAS Server name1)
                (CAS Server name1 fqdn)

Use the New-ExchangeCertificate in the Exchange Shell on the CAS Server
      New-ExchangeCertificate -GenerateRequest -Path c:\yourdomain_com.csr -KeySize 2048 -SubjectName "c=US, s=Texas, l=Houston, o=Org Name, Inc, ou=IS, cn=letigre.com" -DomainName mail.yourdomain.com, autodiscover.yourdomain.com, exchangeservername.yourdomain.com, exchangeservername -PrivateKeyExportable $True
      the thumbprint for the certificate will be listed in the Shell
      The CSR file can be found under the specified path, which in this example is the root of the C: drive

After having submitted the certificate request to a 3rd party certificate authority, youll receive an email message containing the issued certificate shortly thereafter.

This certificate now needs to be imported and enabled on the Exchange 2007 server on which the Client Access server role has been installed
Import-ExchangeCertificate -Path c:\mail_yourdomain_com.cer | Enable-ExchangeCertificate -Services IIS

__In case you want to import or apply the same certificate to another Edge or CAS server then you need to perform following addition steps

1. Open Certificate MMC Snap in on the server for local computer which already has the cert installed

2. Go to personal container and locate the certificate which you had just imported.

3. Export this certificate with private key - DO NOT DELETE KEY ONCE CERT HAS BEEN EXPORTED!!!

5. Copy this certificate on the server where you want to configure this certificate.

6. Run following command on the second server which you want to configure from the same certificate

Import-ExchangeCertificate -Path c:\path\<certificate file>.pfx Password:(Get-Credential).password

The Get-Credential cmdlet in the above command pops up a standard username\password dialog box. This is little bit confusing because we dont need a username to get to the keys, just put whatever you want for the username, but put the password that you used when you ran the Export certificate wizard the Certificate Manager snap-in in MMC.

7. Run command Get-ExchangeCertificate to get the thumbprint of this certificate.

8. Run command Enable-ExchangeCertificate thumbprint <copy the thumbprint> -services IIS

9. After running above command run Get-exchangecertificate again for verifying if services are enabled or not.
JaysonJacksonAuthor Commented:
ok will this has kept me up for several nights. being a total knucklehead when getting the new certificate.   I used the OLD CSR. After creating a new CSR and reissuing a certificate with the newly created CSR everything worked.   Thanks guys for your help.

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now