Here is a helpful tip regarding renewing or replacing your SSL certificate for your Exchange server. In my case I was using an inexpensive service provided by www.register.com to obtain an SSL certificate. I accepted their already saved .csr from the original certificate request a year ago. Problem with that is, it contains a private key that pertains to that .csr in regards the generating server, so when they issue the cert the server doesn’t recognize the private key and hence when you try to enable it for Exchange it gives a pile of red error text saying it can’t use do to not having a private key. Since Register.com doesn’t like to reissue certs, here is the fix:
Go ahead and import the certificate into exchange using the Exchange Management Shell:
import-exchangecertificate -path path to your cert goes here no quotes (this assumes you have already downloaded the certificate to your server and placed in an easy to locate directory, i use c:\ for ease)
Click Start –> Run and then type MMC, press Enter.
In the MMC Snap In click File Menu and then select Add/Remove Snap-in…
Select Certificates.
Click Add button.
Select Computer account from the popped up dialog box.
Click Finish and click OK
Expand Certificates –> Personal –> Certificates
You should see the certificate that has the little golden key icon missing. The other certificate you may see is the self-signed certificate generated during exchange installation.
Now double click on the newly imported certificate and select the Details tab.
Click Serial Number and write down this value or simply copy and paste it into a notepad file. Please note that you will not be allowed to copy using mouse. You can use Ctrl+C instead.
Open command prompt and type certutil –repairstore my “serial number of certificate” and press enter.
Now, refresh the Certificates MMC and you should see the private key paired with the certificate.
You can now enable this certificate on your exchange server
enable-exchangecertificate -thumbprint “your thumbprint goes here” -services “list the services here i.e IIS, SMTP, etc“
press enter and you will see a warning about overwriting the existing certificate with the new one, press “y” and enter and you are done!
2 Responses to Renew Exchange 2007 Certificate, Missing Private Key
RansomWare-This type of virus is one that is typically distributed through a fake email claiming to have a greeting, card, invoice, check, PO, or something of the sort attached. It can also be published as a fake adobe or java update. In case you aren’t familiar with the utter destruction, you should read here http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/
Basically if you don’t have backup, you have likely lost all of your files. In some iterations it is even smart enough to remove previous versions saved by Windows using VSS so that you can’t simply restore them to yesterday. In 95% of cases, you better have a good backup, I prefer Crashplan, I feel like it is the best backup solution on the market and is very very inexpensive. I have it on every device I own.
Chris
Nice article. Just checking to see if this bounces or not.
Hope you die and stuff. Thanks.
redflame
I hate you