Exchange 2007 SSL Problem
I am using my own home grown SSL certificate and trying to get exchange 2007 to like it but:
I open the powershell and type
import-exchangecertificate -path c:\temp\server9.cer
It displays the thumprint. I then type:
get-exchangecertificate -thumbprint <thumbprint> and all I get is this:
Get-ExchangeCertificate : The certificate with thumbprint AA33E0D6502444EEA2D631FDC37E889C489C8C49 was found but is not valid for usage with Exchange Server (reason: PrivateKeyMissing).At line:1 char:24+ get-exchangecertificate <<<< -thumbprint AA33E0D6502444EEA2D631FDC37E889C489C8C49
GRRRRRRR. Any ideas. Can't find it in certmgr.msc. Cant remove it either using remove-exchangecertificate as it gets the same error so I have to delete it from the registry.
HKLM\SOFTWARE\Microsoft\SystemCertificates\My\Certificates
January 4th, 2007 6:24pm
Found a way round it.
I removed the default certificate from IIS, and then proceeded to add my new certificate from the pfx file.
This successfully went into IIS and then magically appeared when running dir cert://localmachine/my
I then did enable-exchangecertificate -thumbprint xxxxx -services "POP,IMAP,IIS"
Seems to work OK.
Free Windows Admin Tool Kit Click here and download it now
January 4th, 2007 8:08pm
Remove-ExchangeCertificate : The default certificate cannot be removed.
If you want to replace the default certificate for the server by replacing it with another certificate with the same server fully qualified domain name (FQDN), you cannot remove the certificate that is being used. You must create the new certificate for the server FQDN first and then remove the old certificate.
June 10th, 2007 2:03am
This entry has the relevant information:
http://msexchangeteam.com/archive/2007/02/19/435472.aspx
To make a long story short, this error is caused by running Import-ExchangeCertificate on a different server than the original "New-ExchangeCertificate -generate" request was run on. (New-ExchangeCertificate generates the private key but places it in the local Exchange certificate store, but doesn't pass the private key out with the certificate request. Importing the certificate issued by the CA [which does not have the private key] on any other machine fails as the private key is not in its local store.) This one had me stumped for quite a bit as the Issuing CA clearly was not allowing an export of the private key (in retrospect, because there was none).
Free Windows Admin Tool Kit Click here and download it now
August 7th, 2007 9:00pm
Sorry to bump this thread, but I will make something clear.
I had this problem while perfoming the Import and Enable from the REQUESTING machine, not a different machine, so the msexchange.org posting doesn't apply, and I am sure I won't be the only one...
Check out this posting to fix this problem:
http://blog.matthewtrotter.com/?p=29
I have done a pile of Exchange 2007 installs and this was the first one that failed, so I am not sure what caused the problem, but this does fix it.
May 8th, 2008 12:05am