Troubleshooting Errors on Exchange 2007
Troubleshooting Common SSL Errors on Exchange 2007
"The certificate with thumbprint... was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing)."
There are two possible causes that we are aware of for this error message. The first is very straightforward, if you receive this message, somehow your private key was lost or deleted (or never installed to the server in the first place), and so you are unable to enable your certificate files for Exchange.
The second is less straightforward. It seems that sometimes administrators will get this error even when the entire Exchange 2007 setup has been done correctly, and the private key file somehow becomes corrupted and unusable by Exchange.
Luckilly, both are easily resolved.
A Bit of Background
"SSL certificate" is an easy way to refer to two distinct but related files (often combined in some way on your server, for example in a .p12, .pfx, or keystore file) called a public key and a private key.
When you create a certificate request you are in fact creating two things. A private key, which remains safe on your server, and a Certificate Signing Request, a data file that contains information necessary for a Certificate Authority like DigiCert to create a public key to match your private key, but without compromising the private key itself.
When you install your certificate files to the server, it is important to make sure that they are installed to the private key from which your CSR was generated. In the case of most Microsoft installations, it is ONLY possible to do that, and your server will not let you install a certificate file that does not match the private key.
Essentially, that means that if your private key is lost or damaged, you will have to start over, create a new certificate, and reissue your private key.
What Can You Do?
Reissuing your certificate file through your DigiCert account is actually straightforward and fairly pain-free, and almost always automated (you just need to make sure not to change the common name in the certificate request). Just log in to your account, click the order number, and then the link to reissue.
Before you can reissue your certificate, you will need to create a new CSR on your server.
What Caused the Problem in the First Place?
That question is a hard one to answer for your exact case, but by far the most common cause of this issue is that a server admin will import the .crt/.cer/.p7b SSL certificate files through MMC and not through the Exchange command line or IIS where the request was generated.
Importing stand-alone certificate files through MMC will never associate those files with their private key. SSL certificates can only be imported via MMC if they have first been correctly installed to their private key and then backed up to a PFX file.
Another common cause is that an admin will correctly import his certificates to one server, and then back up the certificate files to a PFX without backing up the private key. If that is the case, learn how to properly export/import certificate files in Exchange.
Finally, if a new certificate request is generated on your Exchange server before your first certificate was installed, the private key for the initial request will be deleted automatically by your server.
Are There Any Other Fixes?
Sometimes there is one way to possibly fix your issue aside from reissuing the certificate. However, this fix applies to the fairly rare occassion when none of the above explanations applies to your issue, and diagnosing that is not particularly faster or easier than reissuing in the first place.
Try running the command certutil -repairstore my "YourSerialNumber"
With quotes included. If your private key was somehow corrupted, but still present on the server, this can resolve the issue.