Valid Exchange 2010/2013/2016
Problem:
You can IMPORT a KEYFILE (Password) protected Exchange Certificate via PowerShell. The import itself does work, it’s there but the Cert is NOT usable for Exchange or visible in PowerShell get-exchange certificate or in the Exchange Console under Certificates.
Import-ExchangeCertificate
-Instance <String[]>
[-Confirm]
[-DomainController <Fqdn>]
[-FriendlyName <String>]
[-Password <SecureString>]
[-PrivateKeyExportable <$true | $false>]
[-Server <ServerIdParameter>]
[-WhatIf]
[<CommonParameters>]
What you did:
You did use PowerShell to import a valid WILDCARD Certificate into Exchange without the password option. If you do this by GUI (Console) you have to enter a password if the Certificate is protected.
- The new imported wildcard does not open under get-exchangertificate | fl
- You are UNABLE to remove-exchangecertificate the invalid Certificate with remove-exchangecertificate –thumbprint error: (PrivateKeyMissing)
- You do NOT see the new Cert under GUI under Server in the Exchange Console
Remove-exchangecertificate -thumbprint E409F4412C605F44296957CD654EE45522EEC481
The certificate with thumbprint E409F4412C605F44296957CD654EE45522EEC481 was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing).
If you TRY to reimport the same Certificate with GUI
e
Already exists
Solution:
OPEN MMC
ADD Certificate Snap in
COMPUTER
LOCAL COMPUTER
PERSONAL CERTIFICATES
Be sure that you’re using the Certificate Snap-In for the Local Computer account!)
Check IF you find any new Certificates WITHOUT the GOLDEN KEY on the left side in the SYMBOL. These are the imported CERTS where the PRIVATE KEY is missing.
Delete that Certificate if you are sure it’s the one you just imported with Exchange Powershell before.
SOLVED – Reimport the Exchange Wildcard Certificate with the CORRECT Options and a KEYFILE (Passwordfile) in PowerShell or simply use The Exchange-Console-GUI to import the Wildcard and enter the password there.
Please see our important Links regarding handling of Exchange Certificates and Errors
https://www.butsch.ch/post/Exchange-20102013-POP-or-IMAP-with-Wildcard-Certificate-activation
- Check that your import the INTERMEDIATE from your CERT provider
- Make sure your Exchange VLAN Can Reach the Internet and some Certificate Revocations Address (Here is how to check those etc.)
https://www.butsch.ch/post/The-certificate-is-invalid-for-exchange-server-usage-Exchange-2010-SANUC
https://www.butsch.ch/post/Generate-SAN-UC-Certificate-SSL-on-Exchange-2010
https://www.butsch.ch/post/Exchange-2010-Certificate-stays-in-PENDING-REQUEST-after-import
Exchange with Wildcard and POP3 / IMAP
https://www.butsch.ch/post/Exchange-20102013-POP-or-IMAP-with-Wildcard-Certificate-activation