Question : PrivateKeyMissing error during installation of second SAN SSL following removal of first SAN SSL cert

We setup a new Exchange 2007 server and all was well until we decided to obtain an SSL SAN cert. We followed the recommended process for obtaining an SAN SSL cert from GoDaddy and installed it successfully, but then realized we did not have the correct Common Name. Worked with GoDaddy to revoke the cert and then issued a new one.

Sounded reasonable to remove the first GoDaddy cert and that is when things went awry.
Started by using the Remove-ExchangeCertificate command, but it complained that you couldn't remove the default certificate. We then removed the GoDaddy intermediate ceriticiates and then followed the process to install the new SSL cert by installing the GoDaddy intermediate and then Import-Exchange-Certificate which hung up--no thumbprint given, etc. Ran Get-ExchangeCertificate and found the new cert listed along with the old. At this point, decided to use Remove-ExchangeCertificate again on the original cert and this time it did so. Then went into MMC/Certificates (Local Computer/Personal) and deleted the GoDaddy cert.

Back to Import-ExchangeCertificate and it completed successfully and provided a new thumbprint. Then tried Enable-ExchangeCertificate which resulted in the following error:
WARNING: An unexpected error has occurred and a Watson dump is being generated: The certificate with thumbprint E6EF38A4683D6EE2BE28FF22A62291F4F384FC90 was found but is not valid for usage with Exchange Server (reason:PrivateKeyMissing). Enable-ExchangeCertificate : The certificate with thumbprint E6EF38A4683D6EE2BE28FF22A62291F4F384FC90 was found but is not valid for usage with Exchange Server (reason: PrivateKeyMissing).At line:1 char:27
+ Enable-ExchangeCertificate <<<< -Thumbprint E6EF38A4683D6EE2BE28FF22A62291F4F384FC90 -Services:"SMTP, IIS"

Panic then sets in. Searched for solutions and ran accross an reference that from MMC, one needed to import the original SSL cert back into Local Computer/Personal/Certificates. Before importing, only the server self-signed cert existed. After reimporting the original cert, two cert entries appeared--the original CN and the new CN...The article then went on to suggest using CertUtil -RepairStore "SerialNumber" but it sqawks about missing arguments. Tried running Enable-ExchangeCertificate again and received the same private key error.

Admittedly, I'm a newbie here and would appreciate some guidance.
Thanks.

Answer : PrivateKeyMissing error during installation of second SAN SSL following removal of first SAN SSL cert

Was the CSR for a new certificate or for a renewal?

What process did you use to install the new certificate?

Try using certutil with the following commands:

certutil -addstore my certnew.cer
certutil -repairstore my "thumbprint"

I believe the arguments you were missing were the identifier of the certificate store.

These commands will install the certificate in your user certificate store and associate it with a private key if on exists. Then you can export it and import it into the machine store.

Dave Dietz

Random Solutions

magento - order processing

How to create a pivot table in SQL Server 2005

MS Word in Internet Explorer 7 toolbar

Adobe Acrobat freezes when opening documents with tickmarks

Forwarding Emails for Terminated Employee

Need a script to traverse my files check for tabs replace tabs with spaces!!

Remote Web Workplace Issues

Macrovision Setup will not run proprly

XP Pro reinstall - NTFS Format Crawling. Why???