Trouble installing SSL cert in Exchange 2007

I've just downloaded a security certificate from GoDaddy. I successfully imported the intermediate certificate, then ran the Import-ExchangeCertificate program in the Exchange Shell and got a thumbprint. Next I tried Enable-Exchange-Certificate and got the error shown below "PrivateKeyMissing". How do I fix this?
[PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint 71E5569BD8DCECD1
8C352A7515CC077BE6F6001C -Services "SMTP, IMAP, IIS"
Enable-ExchangeCertificate : The certificate with thumbprint 71E5569BD8DCECD18C
352A7515CC077BE6F6001C was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:27
+ Enable-ExchangeCertificate <<<<  -Thumbprint 71E5569BD8DCECD18C352A7515CC077B
E6F6001C -Services "SMTP, IMAP, IIS"
    + CategoryInfo          : NotSpecified: (:) [Enable-ExchangeCertificate],
   CertificateNotValidForExchangeException
    + FullyQualifiedErrorId : 677EE568,Microsoft.Exchange.Management.SystemCon
   figurationTasks.EnableExchangeCertificate

Open in new window

LVL 1
jmarkfoleyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

becraigCommented:
How did you create the request  ?

You can simply run the below command from an elevated prompt

certreq.exe -accept <certfile.cer>

certfile.cer has to be the name of the actual certificate you intend to use (NOT THE INTERMEDIATE)

If the request was made in IIS simply go to IIS and complete the request.
0
jmarkfoleyAuthor Commented:
becraig: > How did you create the request  ?

I created it at goDaddy. When I requested the cert, it asked if I wanted to use a new CSR or the one for the existing certificate. I chose to use the one for the existing certificate. Note that I was not the one to create the original certificate 5 years ago, so I do not know how the then-administrator create the CSR.

> You can simply run the below command from an elevated prompt
> certreq.exe -accept <certfile.cer>

Did that, got the error:
failed> certfile.cer has to be the name of the actual certificate you intend to use (NOT THE INTERMEDIATE)

I used 4111d11611d96.crt, not gd_iis_intermediates.p7b, the latter being the intermediate certificate (I assume). These were the only two files I received.

> If the request was made in IIS simply go to IIS and complete the request.

Not sure what you mean here. The request was made at goDaddy.com and downloaded to my SBS 2008. The certificate is for Exchange and TLS. I tried the Enable-Exchange-Certificate command from the Exchange Shell.
0
becraigCommented:
Try the following command:
Run in an elevated command prompt

certutil -repairstore my 71E5569BD8DCECD18C352A7515CC077BE6F6001C
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

jmarkfoleyAuthor Commented:
Here are my results. Does this mean it worked? Should I now run Enable-ExchangeCertificate or is that taken care of?
[PS] C:\Windows\system32>certutil -repairstore my 71E5569BD8DCECD18C352A7515CC077BE6F6001C
my
================ Certificate 12 ================
Serial Number: 04111d11611d96
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
NotBefore: 8/14/2014 6:45 PM
NotAfter: 8/15/2015 1:49 PM
Subject: CN=mail.ohprs.org, OU=Domain Control Validated
Non-root Certificate
Cert Hash(sha1): 71 e5 56 9b d8 dc ec d1 8c 35 2a 75 15 cc 07 7b e6 f6 00 1c
  Key Container = lr-286bce3b-bc8c-4b29-b60e-2b0d9a91640d
  Unique container name: 41df97588fe14552e35b8ce159c5dc37_7897df12-6a14-415a-bd52-da8416a1268f
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully.

Open in new window

0
Vlastimil SopuchDirectorCommented:
Looks like that did it.
You can verify the certs in EMC in the root of Server Configuration - should see green ticks all the way
In SBS you might need to run "Fix my network" from the SBS Console - Network / Connectivity tab.. and reboot the Information store service(this should be planned).
0
becraigCommented:
Yup you should be able to run the exchange command now.
Happy to help.
0
jmarkfoleyAuthor Commented:
becraig: that did it, I was able to run Enable-Exchange-Certificate successfully.

I have another cert to install. Since your solution was so correct, do you know why I had this problem in the first place? Is there something I can do to avoid this situation with my next cert?
0
jmarkfoleyAuthor Commented:
No theories?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.