Import Certificate into EXCHANGE 2010 without a corresponding private key?


I have a functioning Exchange 2010 system with a SAN/UCC certificate provided by GoDaddy.  Recently, we had to add a SAN and remove a SAN, and GoDaddy allows this to happen in the Certificate Management Console at the customer interface WITHOUT requiring a new CSR to get the new SAN's in place.  DIGICERT, REGISTER.COM and others allows for this type of SAN maintenance as well.

Once the SAN's are updated and approved and I download the new CRT/CRT file, I am able to import the CRT/CER file into the Windows Certificate management console (mmc --> add/remove snapin --> certificates --> this computer) but I am NOT able to import it into the Exchange System Manager because the Exchange System Manager import utility REQUIRES a password for the certificate being imported.  (This would be expected if the file was a PFX export that included a PRIVATE KEY from another system).

Once imported, because the certificate does not have a corresponding private key, it is unable to be assigned to anything like IIS websites or Exchange services (it does not appear for use).  Certificates ONLY appear for use if they are imported with a proper private key.

I'd like to avoid going through the entire CSR process again through the Exchange console since I just added and removed a SAN from the cert, this is not a renewal or a completely new there any way to use this CER/CRT file in the Exchange system and assign it for use without doing a completely new CSR from powershell or from the Exchange MMC wizard?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
I'd like to avoid going through the entire CSR process again through the Exchange
This really should not take long to accomplish this.

.is there any way to use this CER/CRT file
No you have to import the cer/crt file into the original server where the CSR was generated. The correct way is to export the cert (with the private key) and then import this into the other Exchange servers in your environment.

You will then need to enable the cert on the Exchange server using Enable-ExchangeCertificate -Thumbprint <xxxxxxxxxx> -services "pop,imap,smtp,iis"

Simon Butler (Sembee)ConsultantCommented:
You don't have to go through the CSR process again.
Create a new certificate request, then on the GoDaddy system choose Rekey. A new certificate should be issued to you immediately, so that you can download it and install it to the pending request.

While the SSL systems allow you to reissue the certificate, that is only of use to you if you still have the corresponding pending request. You don't in this case, so you cannot use that method. Without a private key, the SSL system would be useless - you could just download a certificate from your bank and setup a phishing site.

So once you get the new cert you can simply follow the two steps below:

1. You should be to do the following
certutil -repairstore <serialnumber of new crt>

Then simply right click the new cert and export to pfx (in the mmc)  then import to the new server you want to install it on.

 Or just follow Simon's instructions.
jkeegan123Author Commented:
@ BECRAIG:  I used a variation of your solution and it worked perfectly.  For the benefit of all, here is the entire tasklist that I performed to get this completed.  

NOTE:  I started with a working Exchange system that had a SAN/UCC cert from GoDaddy installed.  It was a (5) slot UCC cert and I only had (3) setup.  I added an additional (2) and downloaded the CER but as mentioned at the start of this post, could not JUST use the CER since there was no new CSR issued.


1.      Sign into provider to add/remove SAN’s from the SAN cert.
2.      Once added, the provider will email out the ADMINISTRATIVE CONTACT on the registrar for approval of the SAN additions.  If the SAN’s are from other domains, the administrative contact of THOSE domains will be emailed.
3.      Once approved, the updated certificate is available for download as a CRT/CER file.  
   a.      NOTE:  if you update an existing certificate by adding/removing SAN’s, the previously issued certificates will be revoked in 24 – 72 hours.  If you do not install the new CRT/CER file on ALL servers that have the old certificate installed, users will get a message indicating that the certificate was REVOKED because…it was.
4.      Download the CRT/CER file and install it by DOUBLE CLICKING it and installing through the wizard.  This will install the certificate in the PERSONAL folder of the computer accounts certificate store.
5.      Open MMC - ADD/REMOVE snap-in’s for CERTIFICATES - select THIS COMPUTER
6.      Navigate to the PERSONAL folder of the Certificate store and locate the imported certificate.  DOUBLE CLICK it to open properties.
7.      Click the DETAILS TAB - Click SERIAL number - copy the serial # to the clipboard.
8.      Drop to command line, and enter:

a.      Certutil –repairstore my “Serialnumber”

Where “Serialnumber” is the serial # copied in step 7.  NOTE:  If the serial # is not accepted, remove the SPACES from between each (2) characters so that the serial # gets entered as an unbroken string of 16 characters.

                i.e.:  certutil –repairstore my “‎7faed3c68317f50d”
9.      Refresh the certificate store under folder “PERSONAL” and verify that the certificate that was imported now has a KEY icon next to it, and that the certificate’s general tab indicates at the bottom of the window that, “You have a private key that corresponds to this certificate”.
10.      Now that you have a private key for this certificate, you may EXPORT IT with private key so that you can IMPORT IT into the Exchange MMC….right click the certificate and select “ALL TASKS - EXPORT”
   a.      Select YES, EXPORT PRIVATE KEY
   b.      Export as PFX format and select to include “Include all certificates in the certification path if possible” and “Export all extended properties”.  DO NOT select to DELETE certificate on successful export.
   c.      Enter a password that you will not forget but that is not simple like PASSWORD…if the private key is ever compromised, hackers could use it to make new certificates that will appear to originate from THIS key / server.
   d.      Lastly, name the file and store it someplace safe that you will be able to retrieve often and easily like “C:\source”
11.      Now that the CERT is exported with private key, open the Exchange MMC (Exchange 2010) to import the cert.
12.      Navigate to SERVER CONFIGURATION - Select the CAS server in question at the top of the screen - Select IMPORT EXCHANGE CERTIFICATE
13.      Browse to the exported certificate, import it, and enter the key entered in step 10c.
14.      Once imported, right-click the certificate and select “ASSIGN SERVICES TO CERTIFICATE” - Assign services IIS, IMAP, POP, SMTP.  

The certificate repair information came from the following website:

TLDR:  Generate a private key for an installed cert with:  Certutil –repairstore my “Serialnumber”

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jkeegan123Author Commented:
Offered solutions were incomplete at resolving the stated issue.  My solution was comprehensive and listed ALL steps taken to resolve the listed issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.