Exchange Certificate Import Error: Private Key Missing

Joshua B 21 Reputation points
2022-09-12T03:41:21.16+00:00

Hello all,

I am currently setting up an Exchange Server & Outlook for a website and have been trying to install a certificate for Domain Validation.

I opened the Exchange Server Powershell and imported it with Import-ExchangeCertificate -Server "<ServerName>" -FileData ([System.IO.File]::ReadAllBytes('C:\Certificates\groupname.p7c')) -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String '<password>' -AsPlainText -Force),

then attempted to enable it with Enable-ExchangeCertificate -Server "<ServerName>" -Thumbprint <XXXXXXXXXXXXXXXXXXXXX> -Services SMTP,IMAP,IIS

and got back this error:

A special Rpc error occurs on server SERVERNAME: The certificate with thumbprint XXXXXXXXXXXXXXXXXXXXX was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing). + CategoryInfo : NotSpecified: (:) [Enable-ExchangeCertificate], InvalidOperationException + FullyQualifiedErrorId : [Server=<SERVER-NAME>,RequestId=d09d4e8e-b66e-4235-9aef-998de9bc86ab,TimeStamp=9/11/2022 9: 20:12 PM] [FailureCategory=Cmdlet-InvalidOperationException] DA6D9EA1,Microsoft.Exchange.Management.SystemConfigur ationTasks.EnableExchangeCertificate + PSComputerName : <servername.website_address>

For reference, I attempted to follow the instructions at website 0000251, and while using the command certutil -repairstore my “SerialNumber” in the command prompt a Windows Security tab popped up "Select a smart card device, connect a smart card."

Do I need a smart card to fix my certificate? I understand that an admin usually uses a smart card for the certutil command. Is there any other way I can fix the above issue PrivateKeyMissing? Thank you.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,587 questions
{count} votes

Accepted answer
  1. KyleXu-MSFT 26,256 Reputation points
    2022-09-13T02:49:04.373+00:00

    @Joshua B

    For Exchange server, you need to create Exchange Server certificate request for a certification authority, then use this certificate request to apply certificate from CA.

    After that you will could import this certificate to Exchange server for completing the pending certificate request.

    If you import a certificate to Exchange server without certificate request, it will failed due to the missing of private key.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Amit Singh 4,971 Reputation points
    2022-09-12T10:16:42.247+00:00

    Make sure the Exchange server supports your cert type for importing. The following types of certificate files are supported(Import or install a certificate on an Exchange server):

    -PKCS #12 certificate files: Binary certificate files that have .cer, .crt, .der, .p12, or .pfx filename extensions, and require a password when the file contains the private key or chain of trust.
    -PKCS #7 certificate files: Certificate files that have .p7b or .p7c filename extensions

    Check these helpful links - https://community.spiceworks.com/topic/2315124-ssl-not-showing-in-exchange-2016-after-import
    https://shellybhardwaj.medium.com/exporting-and-importing-exchange-server-2016-ssl-certificates-a97af2267469
    https://www.digicert.com/support/tools/certificate-utility-for-windows

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.