Solved

SSL Certificate Missing Private Key

Posted on 2014-03-20
16
7,377 Views
Last Modified: 2014-03-21
I've just bought an SSL certificate for my exchange 2007 server from 123-reg.  I was given instructions as to how to import the certificate.  When I was requesting it I used an online form to create the CSR and typed in the private key.  I've imported the certificate but when i try to enable it I get an error back saying CertificateNotValidForExchangeException and that the private key is missing. I've contacted 123-reg and pretty much been told they provided the cert and they don't care what happens after.
Can someone tell me what I need to do to get this working so I can use my outlook anywhere?

Guide from 123-reg below:

Thank you for contacting 123-reg on the 20th March 2014.

Please use the below link to install your certificate on Microsoft Exchange 2007:

https://support.globalsign.com/customer/portal/articles/1226878-install-certificate---microsoft-exchange-2007

You will need an intermediate SSL certificate which can be found on the below support article:

Where can I obtain an Intermediate Root CA Certificate for my SSL Certificate?

If we can be of any further help with regard to this or any other matter, please do not hesitate to contact us.
Kind Regards

------------------------------------------------------------------------------------------------------------------
0
Comment
Question by:McSnoogins1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
  • 2
16 Comments
 
LVL 29

Accepted Solution

by:
becraig earned 250 total points
ID: 39943007
Do you still have access to the computer you requested the cert from originally ?

If so simply reimport the public key .cer to that computer.
Then find the serial number

then run the following command from an elevated prompt


certutil –repairstore my <serial number>
0
 
LVL 17

Assisted Solution

by:Emmanuel Adebayo
Emmanuel Adebayo earned 250 total points
ID: 39943039
Use the following steps to recover your private key using the certutil command.

1.Locate your Server Certificate file (for example, exchange.cer) and double-click it. The Certificate dialog box appears
2.Click the Details tab. Write down the 8-character serial number of the certificate.
3.Click Start > Run.
4.Type cmd and click OK. A Command Prompt window opens.
5.Enter the following command at the prompt:  

certutil –repairstore my <serial number>

Where <serial number> is the 8-character serial number obtained in Step 2 (spaces removed).

6.      If Windows is able to recover the private key, you see the following message:

CertUtil:  -repairstore command completed successfully.
1
 

Author Comment

by:McSnoogins1
ID: 39943112
I've attached what happens.  Do i need to paste the private key into a txt file as well to import it? All i was given from 123-reg was an email with ----BEGIN------ *cert stuff*----END--- which i was told to paste into a notepad file and save as .crt :(
Untitled.png
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 29

Expert Comment

by:becraig
ID: 39943134
use that file and go to your computer where the request was generated:
run mmc.exe
Add remove snap in
Certificates
Computer account
Local computer
Expand the certificates folder and go to Personal - then to certificates
Right click and go to tasks import

then point to and import the crt file you saved above.

once done refresh that window and look for the cert you just imported double click and go to the details tab and copy the serial number then run the below command from an elevated command prompt


certutil –repairstore my <serial number from step above>


In order for this to work:

You MUST run this from the computer you originally requested the cert from

You MUST import the certificate first using the steps above.
0
 
LVL 17

Expert Comment

by:Emmanuel Adebayo
ID: 39943155
You will need to save it as .cer and then you can follow the process I highlighted earlier.

Regards
0
 
LVL 29

Expert Comment

by:becraig
ID: 39943162
There is no need to rename windows can and will recognize both formats *.cer and *.crt
0
 

Author Comment

by:McSnoogins1
ID: 39943168
I didn't request it from the server, i did it using an online form at 123-reg to create the CSR. Do i need to have it re-done and request it from my server?

I don;t understand why the private key isnt included? Is it just that 123-reg have done a rubbish job of it?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39943198
ok so looking at their website it seems they send you both the public and private key by email can you confirm ?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39943230
If it is the case that you got both the key and the crt file then simply get openssl and run the command below:

openssl pkcs12 -export -in my.crt -inkey my.key -out mycert.pfx

With this pfx (which now contains the private key) you can import to any server

You can get openssl here:
http://gnuwin32.sourceforge.net/packages/openssl.htm
0
 

Author Comment

by:McSnoogins1
ID: 39943287
They sent me my "Your Intermediate Certificate" which installed on the server no bother and my "SSL Certificate" which is what I'm having trouble with. I'm getting the impression I have less of an idea about this than I thought I did.
E-mail included below (I've removed some of the cert characters for security)

------------------------------------------------------------------------------------------------------------------
Dear Chris,
Great news! Your SSL certificate has been issued and is now active.
 
-----------------------------------------------
 
Certificate details
 
Product type: 123-SSL
Domain: remote.revolutionaryit.co.uk
Valid for: 1years
 
-----------------------------------------------
 
What happens now?
 
You will now need to manually install your SSL certificate by following the instructions below.
 
Please note: Your SSL and intermediate certificates can found at the bottom of this email. Both certificates must be installed on your server.
-----------------------------------------------
Installation Guide
1) Using a text editor, copy the intermediate ctext from the bottom of this email, (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) and Save As gs_intermediate_ca.crt on your server desktop.

 
2) Using a text editor, copy the SSL certificate text, from the bottom of this email (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) and Save As yourdomain.crt on your
server desktop.
 
3) For instructions on installing your certificate on your web server (different methods are required, depending on your web server and SSL certificate type) and information on backing up your certificate and private key, please see the following link: http://www.123-reg.co.uk/support/category/SSL-Certificates 
-----------------------------------------------
 
Getting help
 
If you need any help, please visit our support site. There you will find useful guides and answers to common queries. You can also use the Ask a question option which sends a query email to our expert support staff.
 
All the best,
 
The 123-reg team
www.123-reg.co.uk
 
-----------------------------------------------
 
 MUST BE INSTALLED ON YOUR WEB SERVER:
 
Your Intermediate Certificate
 
 
-----BEGIN CERTIFICATE----- MIIELzCCAxegAwIBAgILBAAAAAABL07hNwIwDQYJKoZIhvcNAQEFBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw MDBaFw0yMjA0MTMxMDAwMDBaMC4xETAPBgNVBAoTCEFscGhhU1NMMRkwFwYDVQQD ExBBbHBoYVNTTCBDQSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAw/BliN8b3caChy/JC7pUxmM/RnWsSxQfmHKLHBD/CalSbi9l32WEP1+Bstjx T9fwWrvJr9Ax3SZGKpme2KmjtrgHxMlx95WE79LqH1Sg5b7kQSFWMRBkfR5jjpxx XDygLt5n3MiaIPB1yLC2J4Hrlw3uIkWlwi80J+zgWRJRsx4F5Tgg0mlZelkXvhpL OQgSeTObZGj+WIHdiAxqulm0ryRPYeDK/Bda0jxyq6dMt7nqLeP0P5miTcgdWPh/ UzWO1yKIt2F2CBMTaWawV1kTMQpwgiuT1/biQBXQHQFyxxNYalrsGYkWPODIjYYq +jfwNTLd7OX+gI73BWe0i0J1NQIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEG MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFBTqGVXwDg0yxh90M7eOZhpM EjEeMEUGA1UdIAQ+MDwwOgYEVR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3 dy5hbHBoYXNzbC5jb20vcmVwb3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0 cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8w LQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAf  AQEABjBCm89JAn6J6fWDWj0C87yyRt5KUO65mpBz2qBcJsqCrA6ts5T6KC6y5kk/ UHcOlS9o82U8nxTyaGCStvwEDfakGKFpYA3jnWhbvJ4LOFmNIdoj+pmKCbkfpy61 VWxH50Hs5uJ/r1VEOeCsdO5l0/qrUUgw8T53be3kD0CY7kd/jbZYJ82Sb2AjzAKb WSh4olGd0Eqc5ZNemI/L7z/K/uCvpMlbbkBYpZItvV1lVcW/fARB2aS1gOmUYAIQ OGoICNdTHC2Tr8kTe9RsxDrE+4CsuzpOVHrNTrM+7fH8EU6f9fMUvLmxMc72qi+l +MPpZqmyIJ3E+LgDYqeF0RhjWw== -----END CERTIFICATE-----

Your SSL Certificate (Formatted for the majority of web server software including IIS and Apache based servers):
-----BEGIN CERTIFICATE----- MIIEwjCCA6qgAwIBAgISESEX09ZVexI+WhuPuogKO1GtMA0GCSqGSIb3DQEBBQUA MC4xETAPBgNVBAoTCEFscGhhU1NMMRkwFwYDVQQDExBBbHBoYVNTTCBDQSAtIEcy MB4XDTE0MDMyMDA5MTQzNVoXDTE1MDMyMTA5MTQzNVowVzELMAkGA1UEBhMCR0Ix ITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDElMCMGA1UEAwwccmVt b3RlLnJldm9sdXRpb25hcnlpdC5jby51azCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBALxpwyUtqu5b8jg/tbn8S98/beBU1wgKACbSyuDRKBRynw7XxQDa dpciyGRWbqJ/hEMZP8Dzm5ZhTHYN9UHVCCsZ/Ao3SZW5wFrbj/M12mcAcoJwaeRS asaubETJX6NTK4yyanh0XzC57LHe2kPGqLkaBnc5qt7uulf02nUqrsZEIcfuuUdh TKwqu1DxGDSiTjgGR7J/SMqGdRkwdYj8lCv7omj/l8NQhLV2zkBkHzXcRey0jGOo 7sDZ34GXJgOsilpI66JybKlR/+XU/ZEwRZXFW0YqfNqcztdsAJtviRQ8PbLDHwQB zCPa1t3FDNGwYY9/xbX2eRx3cjB44uaeV9sCAwEAAaOCAa8wggGrMA4GA1UdDwEB /wQEAwIFoDBJBgNVHSAEQjBAMD4GBmeBDAECATA0MDIGCCsGAQUFBwIBFiZodHRw czovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAnBgNVHREEIDAeghxy ZW1vdGUucmV2b2x1dGlvbmFyeWl0LmNvLnVrMAkGA1UdEwQCMAAwHQYDVR0lBBYw FAYIKwYBBQUHAwEGCCsGAQUFBwMCMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9j cmwyLmFscGhhc3NsLmNvbS9ncy9nc2FscGhhZzIuY3JsMH8GCCsGAQUFBwEBBHMw Vy dC9nc2FscGhhZzIuY3J0MDEGCCsGAQUFBzABhiVodHRwOi8vb2NzcDIuZ2xvYmFs c2lnbi5jb20vZ3NhbHBoYWcyMB0GA1UdDgQWBBStn+dYjPnaYYXJRiEc9cXCKkLi 0zAfBgNVHSMEGDAWgBQU6hlV8A4NMsYfdDO3jmYaTBIxHjANBgkqhkiG9w0BAQUF AAOCAQEAWJfZOePvbs//+sr3USEb6hZA0QvJk5SHwT09M3jAG8+Xc92mT4BxIdp2 y1qckyZe5y8zYjOenMiKpuob59sFLD1OfxOKsM26WRoHj8d94f40DPe/CJcCJmin 6RnRtcIJG0GNSydibUABRCrO0ox0hbOu+frgsdUu16/TFLkjiG+22yzfb8KEGPxK ytfAK9XAt0RcWuzYtNbXQkPSJM7UkMcmuisxzFzm/Zs7eJuSwQairs2Eoh2RMs77 L0JxAWY0h4eyMAVdWjbQZQaQy9dzCkIjt18H64P0zCizCN1QB7g3oVkycg+r9hMd vgfiTRZIq6YOFEiAju82Egu/7HY8hA== -----END CERTIFICATE-----

------------------------------------------------------------------------------------------------------------------

This is all i got, no attachments or anything else. If I go to cpanel in my hosting I can download the cert which just displays the SSL as above on a new page.

Can you tell me what to do with what I have or if I'm missing something?
0
 

Author Comment

by:McSnoogins1
ID: 39943553
It seems I'm missing a .key file. Is that right? Can I create it myself or do I need to to be generated on the same machine that created the certificate?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39943566
You can have them email it to you since it seems the key pair end to end was created on their side.
0
 

Author Comment

by:McSnoogins1
ID: 39943607
Thank you, I have told them I am missing it. I'll come back once I have it.
0
 

Author Comment

by:McSnoogins1
ID: 39944853
I've just generated a new CSR from my server and sent it to them for the certificate to be re-issued.  At no point though did the server ask me to type in a passphrase though and I'm pretty sure I'm going to be in the same situation as I am now once they send through only the cert. I'll keep you posted
0
 

Author Comment

by:McSnoogins1
ID: 39945867
All working, it seems that generating the CSR using their form is pointless as you don't get the private key from them. I did it again from my own server and everything works as it should now
0
 
LVL 29

Expert Comment

by:becraig
ID: 39945872
They should really fix that process, why sell you only the public portion of the key :-(

Their site very clearly says you should get the CSR the Key and the cer file


It's good you got this ironed out.
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question