Solved

SSL Certificate Missing Private Key

Posted on 2014-03-20
16
5,348 Views
Last Modified: 2014-03-21
I've just bought an SSL certificate for my exchange 2007 server from 123-reg.  I was given instructions as to how to import the certificate.  When I was requesting it I used an online form to create the CSR and typed in the private key.  I've imported the certificate but when i try to enable it I get an error back saying CertificateNotValidForExchangeException and that the private key is missing. I've contacted 123-reg and pretty much been told they provided the cert and they don't care what happens after.
Can someone tell me what I need to do to get this working so I can use my outlook anywhere?

Guide from 123-reg below:

Thank you for contacting 123-reg on the 20th March 2014.

Please use the below link to install your certificate on Microsoft Exchange 2007:

https://support.globalsign.com/customer/portal/articles/1226878-install-certificate---microsoft-exchange-2007

You will need an intermediate SSL certificate which can be found on the below support article:

Where can I obtain an Intermediate Root CA Certificate for my SSL Certificate?

If we can be of any further help with regard to this or any other matter, please do not hesitate to contact us.
Kind Regards

------------------------------------------------------------------------------------------------------------------
0
Comment
Question by:McSnoogins1
  • 7
  • 7
  • 2
16 Comments
 
LVL 28

Accepted Solution

by:
becraig earned 250 total points
ID: 39943007
Do you still have access to the computer you requested the cert from originally ?

If so simply reimport the public key .cer to that computer.
Then find the serial number

then run the following command from an elevated prompt


certutil –repairstore my <serial number>
0
 
LVL 16

Assisted Solution

by:Emmanuel Adebayo
Emmanuel Adebayo earned 250 total points
ID: 39943039
Use the following steps to recover your private key using the certutil command.

1.Locate your Server Certificate file (for example, exchange.cer) and double-click it. The Certificate dialog box appears
2.Click the Details tab. Write down the 8-character serial number of the certificate.
3.Click Start > Run.
4.Type cmd and click OK. A Command Prompt window opens.
5.Enter the following command at the prompt:  

certutil –repairstore my <serial number>

Where <serial number> is the 8-character serial number obtained in Step 2 (spaces removed).

6.      If Windows is able to recover the private key, you see the following message:

CertUtil:  -repairstore command completed successfully.
1
 

Author Comment

by:McSnoogins1
ID: 39943112
I've attached what happens.  Do i need to paste the private key into a txt file as well to import it? All i was given from 123-reg was an email with ----BEGIN------ *cert stuff*----END--- which i was told to paste into a notepad file and save as .crt :(
Untitled.png
0
 
LVL 28

Expert Comment

by:becraig
ID: 39943134
use that file and go to your computer where the request was generated:
run mmc.exe
Add remove snap in
Certificates
Computer account
Local computer
Expand the certificates folder and go to Personal - then to certificates
Right click and go to tasks import

then point to and import the crt file you saved above.

once done refresh that window and look for the cert you just imported double click and go to the details tab and copy the serial number then run the below command from an elevated command prompt


certutil –repairstore my <serial number from step above>


In order for this to work:

You MUST run this from the computer you originally requested the cert from

You MUST import the certificate first using the steps above.
0
 
LVL 16

Expert Comment

by:Emmanuel Adebayo
ID: 39943155
You will need to save it as .cer and then you can follow the process I highlighted earlier.

Regards
0
 
LVL 28

Expert Comment

by:becraig
ID: 39943162
There is no need to rename windows can and will recognize both formats *.cer and *.crt
0
 

Author Comment

by:McSnoogins1
ID: 39943168
I didn't request it from the server, i did it using an online form at 123-reg to create the CSR. Do i need to have it re-done and request it from my server?

I don;t understand why the private key isnt included? Is it just that 123-reg have done a rubbish job of it?
0
 
LVL 28

Expert Comment

by:becraig
ID: 39943198
ok so looking at their website it seems they send you both the public and private key by email can you confirm ?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 28

Expert Comment

by:becraig
ID: 39943230
If it is the case that you got both the key and the crt file then simply get openssl and run the command below:

openssl pkcs12 -export -in my.crt -inkey my.key -out mycert.pfx

With this pfx (which now contains the private key) you can import to any server

You can get openssl here:
http://gnuwin32.sourceforge.net/packages/openssl.htm
0
 

Author Comment

by:McSnoogins1
ID: 39943287
They sent me my "Your Intermediate Certificate" which installed on the server no bother and my "SSL Certificate" which is what I'm having trouble with. I'm getting the impression I have less of an idea about this than I thought I did.
E-mail included below (I've removed some of the cert characters for security)

------------------------------------------------------------------------------------------------------------------
Dear Chris,
Great news! Your SSL certificate has been issued and is now active.
 
-----------------------------------------------
 
Certificate details
 
Product type: 123-SSL
Domain: remote.revolutionaryit.co.uk
Valid for: 1years
 
-----------------------------------------------
 
What happens now?
 
You will now need to manually install your SSL certificate by following the instructions below.
 
Please note: Your SSL and intermediate certificates can found at the bottom of this email. Both certificates must be installed on your server.
-----------------------------------------------
Installation Guide
1) Using a text editor, copy the intermediate ctext from the bottom of this email, (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) and Save As gs_intermediate_ca.crt on your server desktop.

 
2) Using a text editor, copy the SSL certificate text, from the bottom of this email (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) and Save As yourdomain.crt on your
server desktop.
 
3) For instructions on installing your certificate on your web server (different methods are required, depending on your web server and SSL certificate type) and information on backing up your certificate and private key, please see the following link: http://www.123-reg.co.uk/support/category/SSL-Certificates
-----------------------------------------------
 
Getting help
 
If you need any help, please visit our support site. There you will find useful guides and answers to common queries. You can also use the Ask a question option which sends a query email to our expert support staff.
 
All the best,
 
The 123-reg team
www.123-reg.co.uk
 
-----------------------------------------------
 
 MUST BE INSTALLED ON YOUR WEB SERVER:
 
Your Intermediate Certificate
 
 
-----BEGIN CERTIFICATE----- MIIELzCCAxegAwIBAgILBAAAAAABL07hNwIwDQYJKoZIhvcNAQEFBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw MDBaFw0yMjA0MTMxMDAwMDBaMC4xETAPBgNVBAoTCEFscGhhU1NMMRkwFwYDVQQD ExBBbHBoYVNTTCBDQSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAw/BliN8b3caChy/JC7pUxmM/RnWsSxQfmHKLHBD/CalSbi9l32WEP1+Bstjx T9fwWrvJr9Ax3SZGKpme2KmjtrgHxMlx95WE79LqH1Sg5b7kQSFWMRBkfR5jjpxx XDygLt5n3MiaIPB1yLC2J4Hrlw3uIkWlwi80J+zgWRJRsx4F5Tgg0mlZelkXvhpL OQgSeTObZGj+WIHdiAxqulm0ryRPYeDK/Bda0jxyq6dMt7nqLeP0P5miTcgdWPh/ UzWO1yKIt2F2CBMTaWawV1kTMQpwgiuT1/biQBXQHQFyxxNYalrsGYkWPODIjYYq +jfwNTLd7OX+gI73BWe0i0J1NQIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEG MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFBTqGVXwDg0yxh90M7eOZhpM EjEeMEUGA1UdIAQ+MDwwOgYEVR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3 dy5hbHBoYXNzbC5jb20vcmVwb3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0 cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8w LQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAf  AQEABjBCm89JAn6J6fWDWj0C87yyRt5KUO65mpBz2qBcJsqCrA6ts5T6KC6y5kk/ UHcOlS9o82U8nxTyaGCStvwEDfakGKFpYA3jnWhbvJ4LOFmNIdoj+pmKCbkfpy61 VWxH50Hs5uJ/r1VEOeCsdO5l0/qrUUgw8T53be3kD0CY7kd/jbZYJ82Sb2AjzAKb WSh4olGd0Eqc5ZNemI/L7z/K/uCvpMlbbkBYpZItvV1lVcW/fARB2aS1gOmUYAIQ OGoICNdTHC2Tr8kTe9RsxDrE+4CsuzpOVHrNTrM+7fH8EU6f9fMUvLmxMc72qi+l +MPpZqmyIJ3E+LgDYqeF0RhjWw== -----END CERTIFICATE-----

Your SSL Certificate (Formatted for the majority of web server software including IIS and Apache based servers):
-----BEGIN CERTIFICATE----- MIIEwjCCA6qgAwIBAgISESEX09ZVexI+WhuPuogKO1GtMA0GCSqGSIb3DQEBBQUA MC4xETAPBgNVBAoTCEFscGhhU1NMMRkwFwYDVQQDExBBbHBoYVNTTCBDQSAtIEcy MB4XDTE0MDMyMDA5MTQzNVoXDTE1MDMyMTA5MTQzNVowVzELMAkGA1UEBhMCR0Ix ITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDElMCMGA1UEAwwccmVt b3RlLnJldm9sdXRpb25hcnlpdC5jby51azCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBALxpwyUtqu5b8jg/tbn8S98/beBU1wgKACbSyuDRKBRynw7XxQDa dpciyGRWbqJ/hEMZP8Dzm5ZhTHYN9UHVCCsZ/Ao3SZW5wFrbj/M12mcAcoJwaeRS asaubETJX6NTK4yyanh0XzC57LHe2kPGqLkaBnc5qt7uulf02nUqrsZEIcfuuUdh TKwqu1DxGDSiTjgGR7J/SMqGdRkwdYj8lCv7omj/l8NQhLV2zkBkHzXcRey0jGOo 7sDZ34GXJgOsilpI66JybKlR/+XU/ZEwRZXFW0YqfNqcztdsAJtviRQ8PbLDHwQB zCPa1t3FDNGwYY9/xbX2eRx3cjB44uaeV9sCAwEAAaOCAa8wggGrMA4GA1UdDwEB /wQEAwIFoDBJBgNVHSAEQjBAMD4GBmeBDAECATA0MDIGCCsGAQUFBwIBFiZodHRw czovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAnBgNVHREEIDAeghxy ZW1vdGUucmV2b2x1dGlvbmFyeWl0LmNvLnVrMAkGA1UdEwQCMAAwHQYDVR0lBBYw FAYIKwYBBQUHAwEGCCsGAQUFBwMCMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9j cmwyLmFscGhhc3NsLmNvbS9ncy9nc2FscGhhZzIuY3JsMH8GCCsGAQUFBwEBBHMw Vy dC9nc2FscGhhZzIuY3J0MDEGCCsGAQUFBzABhiVodHRwOi8vb2NzcDIuZ2xvYmFs c2lnbi5jb20vZ3NhbHBoYWcyMB0GA1UdDgQWBBStn+dYjPnaYYXJRiEc9cXCKkLi 0zAfBgNVHSMEGDAWgBQU6hlV8A4NMsYfdDO3jmYaTBIxHjANBgkqhkiG9w0BAQUF AAOCAQEAWJfZOePvbs//+sr3USEb6hZA0QvJk5SHwT09M3jAG8+Xc92mT4BxIdp2 y1qckyZe5y8zYjOenMiKpuob59sFLD1OfxOKsM26WRoHj8d94f40DPe/CJcCJmin 6RnRtcIJG0GNSydibUABRCrO0ox0hbOu+frgsdUu16/TFLkjiG+22yzfb8KEGPxK ytfAK9XAt0RcWuzYtNbXQkPSJM7UkMcmuisxzFzm/Zs7eJuSwQairs2Eoh2RMs77 L0JxAWY0h4eyMAVdWjbQZQaQy9dzCkIjt18H64P0zCizCN1QB7g3oVkycg+r9hMd vgfiTRZIq6YOFEiAju82Egu/7HY8hA== -----END CERTIFICATE-----

------------------------------------------------------------------------------------------------------------------

This is all i got, no attachments or anything else. If I go to cpanel in my hosting I can download the cert which just displays the SSL as above on a new page.

Can you tell me what to do with what I have or if I'm missing something?
0
 

Author Comment

by:McSnoogins1
ID: 39943553
It seems I'm missing a .key file. Is that right? Can I create it myself or do I need to to be generated on the same machine that created the certificate?
0
 
LVL 28

Expert Comment

by:becraig
ID: 39943566
You can have them email it to you since it seems the key pair end to end was created on their side.
0
 

Author Comment

by:McSnoogins1
ID: 39943607
Thank you, I have told them I am missing it. I'll come back once I have it.
0
 

Author Comment

by:McSnoogins1
ID: 39944853
I've just generated a new CSR from my server and sent it to them for the certificate to be re-issued.  At no point though did the server ask me to type in a passphrase though and I'm pretty sure I'm going to be in the same situation as I am now once they send through only the cert. I'll keep you posted
0
 

Author Comment

by:McSnoogins1
ID: 39945867
All working, it seems that generating the CSR using their form is pointless as you don't get the private key from them. I did it again from my own server and everything works as it should now
0
 
LVL 28

Expert Comment

by:becraig
ID: 39945872
They should really fix that process, why sell you only the public portion of the key :-(

Their site very clearly says you should get the CSR the Key and the cer file


It's good you got this ironed out.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now