Trouble installing SSL certificate for Exchange 2007

Posted on 2011-02-26
Last Modified: 2012-05-11
My security cert is about to expire, and I renewed it with the same company, Go Daddy.  I selected to renew it with the same information since none of our servers had changed.  I downloaded the zip file containing the p7b and the crt, but ran into a problem when I tried to import it.
In power shell I ran

Import-ExchangeCertificate -path C:\\gd_iis_intermediates.p7b | Enable-ExchangeCertificate -Services IMAP, POP, UM, IIS, SMTP

That generated an error Import-ExchangeCertificate : The source data cannot be imported or the wrong password was specified.
At line:1 char:27
+ Import-ExchangeCertificate  <<<< -path C:\\gd_
iis_intermediates.p7b | Enable-ExchangeCertificate -Services IMAP, POP, UM, IIS

I did find
but when I go to add the snap in it tells me to select for:
my account
service account
computer account

I'm not sure what to select.  after that it says to run
certutil -repairstore my "SerialNumber"
is that in a normal command prompt or in Power Shell?

Question by:nohman27

Expert Comment

ID: 34987036
don't forget the "" "POP, IMAP, IIS, SMTP"
To check your certificate
Get-ExchangeCertificate | fl

Open in new window

take a look to that's article:
LVL 17

Expert Comment

by:Viral Rathod
ID: 34987067
LVL 49

Expert Comment

ID: 34987118
Nop what you are doing is wrong

1. gd_iis_intermediates.p7b is the intermediate certificates of GoDaddy it is not the one you should import using import-exchangecertificate

2. In exchange 2007 there is nothing called renew you will need to do the process again -> generate a csr on your exchange server -> go to godaddy rekey your certificate using the new csr -> and then import and enable

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Author Comment

ID: 34987155
I tried the Go Daddy instructions, but got
Enable-ExchangeCertificate -Thumbprint[mythumbprint] -Service[mythumbprint] was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:27
+ Enable-ExchangeCertificate  <<<< -Thumbprint [mythumbprint] -Services "IMAP, POP, UM, IIS, SMTP"

Author Comment

ID: 34987161
I have to start the process over?  like run
New-ExchangeCertificate etc...
and buy a new cert?
LVL 49

Expert Comment

ID: 34987168
on the exchange you will need to do the process again yes like new-exchangecertificate etc...

On godaddy no need to buy a new one just  rekey the one you have just bought/renewed it is free of charge

download from godaddy the new .cer file (NOT the p7b) and import-exchangecertificate .....cer | enable-exchangecertificate

Author Comment

ID: 34987252
I'm still getting an error.  This time it is telling me that my thumbprint isn't correct.

This is what I ran in Powershell

[PS] C:\Documents and Settings\user>
[PS] C:\Documents and Settings\user>New-ExchangeCertificate -DomainName mail,, mail1.mydomain.
org, , -FriendlyName mymailcert -GenerateRequest:$True -Keysize 20
48 -path c:\certreq.req -privatekeyExportable:$true -subjectName "c=us
, o=my org,"

Thumbprint                                Services   Subject
----------                                --------   -------
C7mythumbprintC7  .....      CN=mail.mydomai...

[PS] C:\Documents and Settings\user>Import-ExchangeCertificate -path C:\mail
[PS] C:\Documents and Settings\user>Enable-ExchangeCertificate -Services "IM

cmdlet Enable-ExchangeCertificate at command pipeline position 1
Supply values for the following parameters:
Thumbprint: C7mythumbprintC7
Enable-ExchangeCertificate : The certificate with thumbprint C7mythumbprintC7 was not found.
At line:1 char:27
+ Enable-ExchangeCertificate  <<<< -Services "IMAP, POP, UM, IIS, SMTP"

LVL 49

Accepted Solution

Akhater earned 500 total points
ID: 34987259
ok when you importoed the .crt file you didn't geet any errors right ?

in that case please issue now a get-exchangecertificate command you will have a thumbprint (usually the first one) with the new subject you have just requested and not assigned to any service copy THIS thumbprint and do a

enable-exchangecertificate ThumbPrintCopied -services IIS

it is NOT the same thumbprint you got when you created your request

Author Closing Comment

ID: 34987288
Thank you so much that got it installed.
LVL 49

Expert Comment

ID: 34987292
glad to know it is working for you !

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question