PrivateKeyMissing when running Enable-ExchangeCertificate

Enable-ExchangeCertificate : The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:27
+ Enable-ExchangeCertificate <<<< -Thumbprint XXXXXXXXX -Services "IIS"


The above error is a result of a glitch with Exchange 2007. This issue does not happen all the time as it is completely random, but when it does happen no certificate can be installed or removed through the Exchange Management Shell (EMS). For whatever reason it may be, the system forgets where it placed the Private Key or the certificate store is damaged.

Repair Damaged Certificate Store:

1) Open MMC (Microsoft Management Console) to the Certificate Manager (Certificates Snap-in) for the Local Computer account.
2) Double-Click on the recently imported certificate (It will be missing the golden key).
3) Go to the Details tab.
4) Click on the Serial Number field and copy down that number. (Leave window open)
5) Open up the command prompt (DOS Prompt -- CMD.exe)
6) Type: certutil -repairstore my "SerialNumber"( SerialNumber is that what was copied down in step 4.)
7) After running the command, go back to the MMC and right-click Certificates and select "Refresh".
8) One should now see the golden key associated with the certificate.
9) Double-check in the Exchange Power Shell with: Get-ExchangeCertificate

Alternatively if the above does not work try the following:
Note: Follow these steps if running Windows Server 2008 only

1) Open MMC (Microsoft Management Console) to the Certificate Manager for the Local Computer account. (Certificates Snap In)
2) Look in the Personal section of the Certificate Manager and there should be icon(s) without a little golden key. (Those with the key have the private key bonded to them.)
3) Delete the icons without the golden key.
4) Go back to the EMS.
5) Run the Import-ExchangeCertificate and Enable-ExchangeCertificate in one line like so: [ Import-ExchangeCertificate -Path c:\exchange.globessl.com.crt | Enable-ExchangeCertificate -Services "SMTP, IMAP, IIS, POP" ]
*** Please modify the command according to your needs. ***
6) Things should be golden from here and if they are not, please contact Microsoft.

  • 21 Users Found This Useful
Was this answer helpful?

Related Articles

Requesting a replacement UCC certificate

If for whatever reason you find yourself in need of a replacement UC Certificate (requested for...

Generating your Globe SSL Unified Communications Certificate (UCC) CSR

In order to create a CSR on Exchange 2007, you must use the New-ExchangeCertificate cmdlet which...

UCC Root and Intermediate Certificate installation

You can download the files you will need for this from the support section of the website Root...

Can I use My UCC certificate on more than one server ?

The Unified Communications Certificates are sold on a single server license basis. This means...

What domains should I include in my UCC certificate?

What domains should I include in my UCC certificate ? This is largely dependent on how your...