Try our new Certificate Revocation List Check Tool
CRLcheck.exe is a tool developed to verify digital signatures of executable files. It collects files from known paths on your client, checks their signature, and checks Certificate Revocation Lists (CRL) and OCSP download. This helps avoid delays in launching files.
Category published:  Exchange 2010 Exchange 2013 Exchange 2016   Click on the Category button to get more articles regarding that product.

Exchange Wildcard Certificate imported Powershell without password option (PrivateKeyMissing)

Posted by admin on 28.08.2018

Valid Exchange 2010/2013/2016


You can IMPORT a KEYFILE (Password) protected Exchange Certificate via PowerShell. The import itself does work, it’s there but the Cert is NOT usable for Exchange or visible in PowerShell get-exchange certificate or in the Exchange Console under Certificates.


-Instance <String[]>


[-DomainController <Fqdn>]

[-FriendlyName <String>]

[-Password <SecureString>]

[-PrivateKeyExportable <$true | $false>]

[-Server <ServerIdParameter>]



What you did:

You did use PowerShell to import a valid WILDCARD Certificate into Exchange without the password option. If you do this by GUI (Console) you have to enter a password if the Certificate is protected.

  • The new imported wildcard does not open under get-exchangertificate | fl
  • You are UNABLE to remove-exchangecertificate the invalid Certificate with remove-exchangecertificate –thumbprint error: (PrivateKeyMissing)
  • You do NOT see the new Cert under GUI under Server in the Exchange Console

Remove-exchangecertificate -thumbprint E409F4412C605F44296957CD654EE45522EEC481

The certificate with thumbprint E409F4412C605F44296957CD654EE45522EEC481 was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing).

If you TRY to reimport the same Certificate with GUI


Already exists



ADD Certificate Snap in




Be sure that you’re using the Certificate Snap-In for the Local Computer account!)

Check IF you find any new Certificates WITHOUT the GOLDEN KEY on the left side in the SYMBOL. These are the imported CERTS where the PRIVATE KEY is missing.

Delete that Certificate if you are sure it’s the one you just imported with Exchange Powershell before.

SOLVED – Reimport the Exchange Wildcard Certificate with the CORRECT Options and a KEYFILE (Passwordfile) in PowerShell or simply use The Exchange-Console-GUI to import the Wildcard and enter the password there.

Please see our important Links regarding handling of Exchange Certificates and Errors

  • Check that your import the INTERMEDIATE from your CERT provider
  • Make sure your Exchange VLAN Can Reach the Internet and some Certificate Revocations Address (Here is how to check those etc.)

Exchange with Wildcard and POP3 / IMAP

 Category published:  Exchange 2010 Exchange 2013 Exchange 2016   Click on the Category button to get more articles regarding that product.