PrivateKeyMissing when running Enable-ExchangeCertificate

Enable-ExchangeCertificate : The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:27
+ Enable-ExchangeCertificate <<<< -Thumbprint XXXXXXXXX -Services "IIS"

The above error is a result of a glitch with Exchange 2007. This issue does not happen all the time as it is completely random, but when it does happen no certificate can be installed or removed through the Exchange Management Shell (EMS). For whatever reason it may be, the system forgets where it placed the Private Key or the certificate store is damaged.

Repair Damaged Certificate Store:

1) Open MMC (Microsoft Management Console) to the Certificate Manager (Certificates Snap-in) for the Local Computer account.
2) Double-Click on the recently imported certificate (It will be missing the golden key).
3) Go to the Details tab.
4) Click on the Serial Number field and copy down that number. (Leave window open)
5) Open up the command prompt (DOS Prompt -- CMD.exe)
6) Type: certutil -repairstore my "SerialNumber"( SerialNumber is that what was copied down in step 4.)
7) After running the command, go back to the MMC and right-click Certificates and select "Refresh".
8) One should now see the golden key associated with the certificate.
9) Double-check in the Exchange Power Shell with: Get-ExchangeCertificate

Alternatively if the above does not work try the following:
Note: Follow these steps if running Windows Server 2008 only

1) Open MMC (Microsoft Management Console) to the Certificate Manager for the Local Computer account. (Certificates Snap In)
2) Look in the Personal section of the Certificate Manager and there should be icon(s) without a little golden key. (Those with the key have the private key bonded to them.)
3) Delete the icons without the golden key.
4) Go back to the EMS.
5) Run the Import-ExchangeCertificate and Enable-ExchangeCertificate in one line like so: [ Import-ExchangeCertificate -Path c:\ | Enable-ExchangeCertificate -Services "SMTP, IMAP, IIS, POP" ]
*** Please modify the command according to your needs. ***
6) Things should be golden from here and if they are not, please contact Microsoft.

  • 21 Users Found This Useful
Was this answer helpful?

Related Articles

What should I use as my 'primary' Common Name?

Your primary common name in a Unified Communications Certificate should be the main URL used to...

Cannot import as there already is a certificate with a thumbprint of [...]

This error normally occurs when the certificate has already been installed onto this server. If...

UCC Root and Intermediate Certificate installation

You can download the files you will need for this from the support section of the website Root...

Generating your Globe SSL Unified Communications Certificate (UCC) CSR

In order to create a CSR on Exchange 2007, you must use the New-ExchangeCertificate cmdlet which...

Why does my old cert show for OWA even though I replaced it?

This typically happens when a certificate is installed via the Exchange Management Shell. (EMS)...