SSL Cert Issues
I imported an SSL cert into my Exchange 2007 but it showed up with a status of invalid and when various clients tried to connect they received errors. Not knowing a lot about SSL Certs I had imported the X.509 cert so I thought that I could just remove the cert and import it again. I used the Remove-ExchangeCertificate -Thumbprint <xxxx> command to remove the Cert.Then I tried to import the cert again, it looked like it worked however when I try to list the certs it isn't there and when I try to list the CERT with the thumbprint I get an error message saying:
Get-ExchangeCertificate : The certificate with thumbprint 5936329DA9F0B53FC4029A539297840C682FCE41 was found but is not valid for usage with Exchange Server (reason: PrivateKeyMissing).At line:1 char:24+ get-ExchangeCertificate <<<< -Thumbprint 5936329DA9F0B53FC4029A539297840C682FCE41 | FL *
I can't remove the cert because it produces the following error:
WARNING: An unexpected error has occurred and a Watson dump is being generated:The certificate with thumbprint 5936329DA9F0B53FC4029A539297840C682FCE41 wasfound but is not valid for usage with Exchange Server (reason:PrivateKeyMissing).Remove-ExchangeCertificate : The certificate with thumbprint 5936329DA9F0B53FC4029A539297840C682FCE41 was found but is not valid for usage with Exchange Server (reason: PrivateKeyMissing).At line:1 char:27+ remove-ExchangeCertificate <<<< -Thumbprint 5936329DA9F0B53FC4029A539297840C682FCE41
Any ideas on what I can do to get the cert back? All of this was done with the Exchange management shell.
May 2nd, 2008 11:15pm
Hi,
First, lets follow the steps to confirm whether the certificate has private key.
1. Run MMC from a command prompt.
2. Click on file on the toolbar and select Add/Remove snap in
3. In the Standalone tab, click on Add-Certificates-Computer account-Local computer.
4. Click Finish and Ok.
5. Expand Certificates-Personal-Certificate.
6. In the right result pane, please find the certificate that you import and double click on it.
7. In the General pane, You have a private key that corresponds to this certificate should can be seen in the bottom.
If the certificate does not has private key, then I recommend you to set certificate request back to corporate to reissue it.
Meanwhile, the certificate file should be in pfx , or p7b file but not cert file.
If it is not the case, then please try to delete the certificate from personal store. After that please check IIS manager to see whether the default Web Site has SSL enabled. Also please check Directory Security tab, view certificate to see whether theres certificate on it. If it still be there, then please remove it. After that please run iisreset from a command prompt to restart iis.
After you have delete the certificate, please try to import it again.
Import-ExchangeCertificate
http://technet.microsoft.com/en-us/library/bb124424(EXCHG.80).aspx
Hope it helps.
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2008 11:01am
I checked and there is no private key that corresponds to this certificate. Is it possible to restore thhe private key from the original CSR.
When you say to send the certificate request back to corporate to reissue it do you mean to generate another CSR and send it back to the SSL vendor to have another certificate generated?
If I have to get the certificate reissued how do I get this certificate out since Exchange partly sees it. When you try to remove it, it will not allow it because it doesn't have a private key attached to it. You can't display it using the Exchange Certificate commands. Does it have to be removed from the Certificate MMC snapin?
May 5th, 2008 5:38pm
I was able to recreate the private key by using the certutil utility so I am back to the original problem that caused me to delete it in the first place. Some non Microsoft clients don't recognize the cert as being valid. In fact if I look at the Cert using the Certificate MMC there is a message that states: This certificate has expired or is not yet valid. When I look at the dates for the cert they show as being valid. So what now? I believe when I imported them into Exchange 2007 I used X.509 format rather than the PKCS#7 format. Is that my problem? If so how do I back it out in the X509 format and bring it back in with the PKCS#7 format without loosing my privatekey again?
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2008 10:08pm
Hi
Obtaining Unified Communications certificates for Microsoft Exchange
For more information about how to use the Exchange Management Shell to create a certificate request file that contains a certificate request in PKCS#10 format, visit the following Web sites:
http://technet.microsoft.com/en-us/library/aa995942.aspx (http://technet.microsoft.com/en-us/library/aa995942.aspx )http://technet.microsoft.com/en-us/library/aa998327.aspx (http://technet.microsoft.com/en-us/library/aa998327.aspx)
More infomation about Certificate:
Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007
http://support.microsoft.com/kb/929395
If the certificate cannot be removed by cmdlt used in Exchange,then please try to delete it from the Certificate MMC snapin.
Hope it helps.
May 6th, 2008 12:47pm