Try our new Certificate Revocation List Check Tool
CRLcheck.exe is a tool developed to verify digital signatures of executable files. It collects files from known paths on your client, checks their signature, and checks Certificate Revocation Lists (CRL) and OCSP download. This helps avoid delays in launching files.
Category published:  Exchange 2010 Exchange 2013 Exchange 2016   Click on the Category button to get more articles regarding that product.

Exchange Wildcard Certificate imported Powershell without password option (PrivateKeyMissing)

Posted by admin on 28.08.2018

Valid Exchange 2010/2013/2016

Problem:

You can IMPORT a KEYFILE (Password) protected Exchange Certificate via PowerShell. The import itself does work, it’s there but the Cert is NOT usable for Exchange or visible in PowerShell get-exchange certificate or in the Exchange Console under Certificates.

Import-ExchangeCertificate

-Instance <String[]>

[-Confirm]

[-DomainController <Fqdn>]

[-FriendlyName <String>]

[-Password <SecureString>]

[-PrivateKeyExportable <$true | $false>]

[-Server <ServerIdParameter>]

[-WhatIf]

[<CommonParameters>]

What you did:

You did use PowerShell to import a valid WILDCARD Certificate into Exchange without the password option. If you do this by GUI (Console) you have to enter a password if the Certificate is protected.

  • The new imported wildcard does not open under get-exchangertificate | fl
  • You are UNABLE to remove-exchangecertificate the invalid Certificate with remove-exchangecertificate –thumbprint error: (PrivateKeyMissing)
  • You do NOT see the new Cert under GUI under Server in the Exchange Console

Remove-exchangecertificate -thumbprint E409F4412C605F44296957CD654EE45522EEC481

The certificate with thumbprint E409F4412C605F44296957CD654EE45522EEC481 was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing).

If you TRY to reimport the same Certificate with GUI

e

Already exists

Solution:

OPEN MMC

ADD Certificate Snap in

 COMPUTER

LOCAL COMPUTER

PERSONAL CERTIFICATES

Be sure that you’re using the Certificate Snap-In for the Local Computer account!)

Check IF you find any new Certificates WITHOUT the GOLDEN KEY on the left side in the SYMBOL. These are the imported CERTS where the PRIVATE KEY is missing.

Delete that Certificate if you are sure it’s the one you just imported with Exchange Powershell before.

SOLVED – Reimport the Exchange Wildcard Certificate with the CORRECT Options and a KEYFILE (Passwordfile) in PowerShell or simply use The Exchange-Console-GUI to import the Wildcard and enter the password there.

Please see our important Links regarding handling of Exchange Certificates and Errors

https://www.butsch.ch/post/Exchange-20102013-POP-or-IMAP-with-Wildcard-Certificate-activation

  • Check that your import the INTERMEDIATE from your CERT provider
  • Make sure your Exchange VLAN Can Reach the Internet and some Certificate Revocations Address (Here is how to check those etc.)

https://www.butsch.ch/post/The-certificate-is-invalid-for-exchange-server-usage-Exchange-2010-SANUC

https://www.butsch.ch/post/Generate-SAN-UC-Certificate-SSL-on-Exchange-2010 

https://www.butsch.ch/post/Exchange-2010-Certificate-stays-in-PENDING-REQUEST-after-import

Exchange with Wildcard and POP3 / IMAP

https://www.butsch.ch/post/Exchange-20102013-POP-or-IMAP-with-Wildcard-Certificate-activation


 Category published:  Exchange 2010 Exchange 2013 Exchange 2016   Click on the Category button to get more articles regarding that product.

Related Post

Microsoft Exchange Server SE (Subscription Edition) ab Herbst 2025

Powershell to show and log SMTP Port 25, 465, 2525 after decomission old Exchange Server

CRLcheck.exe Certificate Revocation List Check Tool to verify all CRL and OCSP on Windows client

Template theme: Newsup by Themeansar (External Link, you will leave www.butsch.ch).