Link to home
Start Free TrialLog in
Avatar of McSnoogins1
McSnoogins1Flag for United Kingdom of Great Britain and Northern Ireland

asked on

SSL Certificate Missing Private Key

I've just bought an SSL certificate for my exchange 2007 server from 123-reg.  I was given instructions as to how to import the certificate.  When I was requesting it I used an online form to create the CSR and typed in the private key.  I've imported the certificate but when i try to enable it I get an error back saying CertificateNotValidForExchangeException and that the private key is missing. I've contacted 123-reg and pretty much been told they provided the cert and they don't care what happens after.
Can someone tell me what I need to do to get this working so I can use my outlook anywhere?

Guide from 123-reg below:

Thank you for contacting 123-reg on the 20th March 2014.

Please use the below link to install your certificate on Microsoft Exchange 2007:

https://support.globalsign.com/customer/portal/articles/1226878-install-certificate---microsoft-exchange-2007

You will need an intermediate SSL certificate which can be found on the below support article:

Where can I obtain an Intermediate Root CA Certificate for my SSL Certificate?

If we can be of any further help with regard to this or any other matter, please do not hesitate to contact us.
Kind Regards

------------------------------------------------------------------------------------------------------------------
ASKER CERTIFIED SOLUTION
Avatar of becraig
becraig
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of McSnoogins1

ASKER

I've attached what happens.  Do i need to paste the private key into a txt file as well to import it? All i was given from 123-reg was an email with ----BEGIN------ *cert stuff*----END--- which i was told to paste into a notepad file and save as .crt :(
Untitled.png
use that file and go to your computer where the request was generated:
run mmc.exe
Add remove snap in
Certificates
Computer account
Local computer
Expand the certificates folder and go to Personal - then to certificates
Right click and go to tasks import

then point to and import the crt file you saved above.

once done refresh that window and look for the cert you just imported double click and go to the details tab and copy the serial number then run the below command from an elevated command prompt


certutil –repairstore my <serial number from step above>


In order for this to work:

You MUST run this from the computer you originally requested the cert from

You MUST import the certificate first using the steps above.
You will need to save it as .cer and then you can follow the process I highlighted earlier.

Regards
There is no need to rename windows can and will recognize both formats *.cer and *.crt
I didn't request it from the server, i did it using an online form at 123-reg to create the CSR. Do i need to have it re-done and request it from my server?

I don;t understand why the private key isnt included? Is it just that 123-reg have done a rubbish job of it?
ok so looking at their website it seems they send you both the public and private key by email can you confirm ?
If it is the case that you got both the key and the crt file then simply get openssl and run the command below:

openssl pkcs12 -export -in my.crt -inkey my.key -out mycert.pfx

With this pfx (which now contains the private key) you can import to any server

You can get openssl here:
http://gnuwin32.sourceforge.net/packages/openssl.htm
They sent me my "Your Intermediate Certificate" which installed on the server no bother and my "SSL Certificate" which is what I'm having trouble with. I'm getting the impression I have less of an idea about this than I thought I did.
E-mail included below (I've removed some of the cert characters for security)

------------------------------------------------------------------------------------------------------------------
Dear Chris,
Great news! Your SSL certificate has been issued and is now active.
 
-----------------------------------------------
 
Certificate details
 
Product type: 123-SSL
Domain: remote.revolutionaryit.co.uk
Valid for: 1years
 
-----------------------------------------------
 
What happens now?
 
You will now need to manually install your SSL certificate by following the instructions below.
 
Please note: Your SSL and intermediate certificates can found at the bottom of this email. Both certificates must be installed on your server.
-----------------------------------------------
Installation Guide
1) Using a text editor, copy the intermediate ctext from the bottom of this email, (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) and Save As gs_intermediate_ca.crt on your server desktop.

 
2) Using a text editor, copy the SSL certificate text, from the bottom of this email (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) and Save As yourdomain.crt on your
server desktop.
 
3) For instructions on installing your certificate on your web server (different methods are required, depending on your web server and SSL certificate type) and information on backing up your certificate and private key, please see the following link: http://www.123-reg.co.uk/support/category/SSL-Certificates 
-----------------------------------------------
 
Getting help
 
If you need any help, please visit our support site. There you will find useful guides and answers to common queries. You can also use the Ask a question option which sends a query email to our expert support staff.
 
All the best,
 
The 123-reg team
www.123-reg.co.uk
 
-----------------------------------------------
 
 MUST BE INSTALLED ON YOUR WEB SERVER:
 
Your Intermediate Certificate
 
 
-----BEGIN CERTIFICATE----- MIIELzCCAxegAwIBAgILBAAAAAABL07hNwIwDQYJKoZIhvcNAQEFBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw MDBaFw0yMjA0MTMxMDAwMDBaMC4xETAPBgNVBAoTCEFscGhhU1NMMRkwFwYDVQQD ExBBbHBoYVNTTCBDQSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAw/BliN8b3caChy/JC7pUxmM/RnWsSxQfmHKLHBD/CalSbi9l32WEP1+Bstjx T9fwWrvJr9Ax3SZGKpme2KmjtrgHxMlx95WE79LqH1Sg5b7kQSFWMRBkfR5jjpxx XDygLt5n3MiaIPB1yLC2J4Hrlw3uIkWlwi80J+zgWRJRsx4F5Tgg0mlZelkXvhpL OQgSeTObZGj+WIHdiAxqulm0ryRPYeDK/Bda0jxyq6dMt7nqLeP0P5miTcgdWPh/ UzWO1yKIt2F2CBMTaWawV1kTMQpwgiuT1/biQBXQHQFyxxNYalrsGYkWPODIjYYq +jfwNTLd7OX+gI73BWe0i0J1NQIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEG MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFBTqGVXwDg0yxh90M7eOZhpM EjEeMEUGA1UdIAQ+MDwwOgYEVR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3 dy5hbHBoYXNzbC5jb20vcmVwb3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0 cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8w LQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAf  AQEABjBCm89JAn6J6fWDWj0C87yyRt5KUO65mpBz2qBcJsqCrA6ts5T6KC6y5kk/ UHcOlS9o82U8nxTyaGCStvwEDfakGKFpYA3jnWhbvJ4LOFmNIdoj+pmKCbkfpy61 VWxH50Hs5uJ/r1VEOeCsdO5l0/qrUUgw8T53be3kD0CY7kd/jbZYJ82Sb2AjzAKb WSh4olGd0Eqc5ZNemI/L7z/K/uCvpMlbbkBYpZItvV1lVcW/fARB2aS1gOmUYAIQ OGoICNdTHC2Tr8kTe9RsxDrE+4CsuzpOVHrNTrM+7fH8EU6f9fMUvLmxMc72qi+l +MPpZqmyIJ3E+LgDYqeF0RhjWw== -----END CERTIFICATE-----

Your SSL Certificate (Formatted for the majority of web server software including IIS and Apache based servers):
-----BEGIN CERTIFICATE----- MIIEwjCCA6qgAwIBAgISESEX09ZVexI+WhuPuogKO1GtMA0GCSqGSIb3DQEBBQUA MC4xETAPBgNVBAoTCEFscGhhU1NMMRkwFwYDVQQDExBBbHBoYVNTTCBDQSAtIEcy MB4XDTE0MDMyMDA5MTQzNVoXDTE1MDMyMTA5MTQzNVowVzELMAkGA1UEBhMCR0Ix ITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDElMCMGA1UEAwwccmVt b3RlLnJldm9sdXRpb25hcnlpdC5jby51azCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBALxpwyUtqu5b8jg/tbn8S98/beBU1wgKACbSyuDRKBRynw7XxQDa dpciyGRWbqJ/hEMZP8Dzm5ZhTHYN9UHVCCsZ/Ao3SZW5wFrbj/M12mcAcoJwaeRS asaubETJX6NTK4yyanh0XzC57LHe2kPGqLkaBnc5qt7uulf02nUqrsZEIcfuuUdh TKwqu1DxGDSiTjgGR7J/SMqGdRkwdYj8lCv7omj/l8NQhLV2zkBkHzXcRey0jGOo 7sDZ34GXJgOsilpI66JybKlR/+XU/ZEwRZXFW0YqfNqcztdsAJtviRQ8PbLDHwQB zCPa1t3FDNGwYY9/xbX2eRx3cjB44uaeV9sCAwEAAaOCAa8wggGrMA4GA1UdDwEB /wQEAwIFoDBJBgNVHSAEQjBAMD4GBmeBDAECATA0MDIGCCsGAQUFBwIBFiZodHRw czovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAnBgNVHREEIDAeghxy ZW1vdGUucmV2b2x1dGlvbmFyeWl0LmNvLnVrMAkGA1UdEwQCMAAwHQYDVR0lBBYw FAYIKwYBBQUHAwEGCCsGAQUFBwMCMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9j cmwyLmFscGhhc3NsLmNvbS9ncy9nc2FscGhhZzIuY3JsMH8GCCsGAQUFBwEBBHMw Vy dC9nc2FscGhhZzIuY3J0MDEGCCsGAQUFBzABhiVodHRwOi8vb2NzcDIuZ2xvYmFs c2lnbi5jb20vZ3NhbHBoYWcyMB0GA1UdDgQWBBStn+dYjPnaYYXJRiEc9cXCKkLi 0zAfBgNVHSMEGDAWgBQU6hlV8A4NMsYfdDO3jmYaTBIxHjANBgkqhkiG9w0BAQUF AAOCAQEAWJfZOePvbs//+sr3USEb6hZA0QvJk5SHwT09M3jAG8+Xc92mT4BxIdp2 y1qckyZe5y8zYjOenMiKpuob59sFLD1OfxOKsM26WRoHj8d94f40DPe/CJcCJmin 6RnRtcIJG0GNSydibUABRCrO0ox0hbOu+frgsdUu16/TFLkjiG+22yzfb8KEGPxK ytfAK9XAt0RcWuzYtNbXQkPSJM7UkMcmuisxzFzm/Zs7eJuSwQairs2Eoh2RMs77 L0JxAWY0h4eyMAVdWjbQZQaQy9dzCkIjt18H64P0zCizCN1QB7g3oVkycg+r9hMd vgfiTRZIq6YOFEiAju82Egu/7HY8hA== -----END CERTIFICATE-----

------------------------------------------------------------------------------------------------------------------

This is all i got, no attachments or anything else. If I go to cpanel in my hosting I can download the cert which just displays the SSL as above on a new page.

Can you tell me what to do with what I have or if I'm missing something?
It seems I'm missing a .key file. Is that right? Can I create it myself or do I need to to be generated on the same machine that created the certificate?
You can have them email it to you since it seems the key pair end to end was created on their side.
Thank you, I have told them I am missing it. I'll come back once I have it.
I've just generated a new CSR from my server and sent it to them for the certificate to be re-issued.  At no point though did the server ask me to type in a passphrase though and I'm pretty sure I'm going to be in the same situation as I am now once they send through only the cert. I'll keep you posted
All working, it seems that generating the CSR using their form is pointless as you don't get the private key from them. I did it again from my own server and everything works as it should now
They should really fix that process, why sell you only the public portion of the key :-(

Their site very clearly says you should get the CSR the Key and the cer file


It's good you got this ironed out.