Import-ExchangeCertificate fails with "the source data cannot be imported or the wrong password was specified"

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.


This topic provides information about how to resolve "the source data cannot be imported or the wrong password was specified" error you may receive when you try to import a third-party certificate for Exchange by using the Import-ExchangeCertificate cmdlet.

When you try to use the Get-ExchangeCertificate cmdlet using the thumbprint of the certificate, the command fails with the following error: "The certificate thumbprint <thumbprint> was found but is not valid for use with Exchange server. (reason: PrivateKeyMissing)"


There is a problem with the Private Key for the certificate.


To resolve this issue, follow these steps to use the certutil -repairstore command to correct the private key issue.

Before You Begin

To perform this procedure, the account you use must be delegated the following:

  • Membership in the local Administrators group

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.


To use the certutil -repairstore command to repair the private key issue

  1. Open Microsoft Management Console and add the Certificates snap-in by clicking Start, Run, mmc.exe

  2. Double-click the imported certificate that is in the Personal folder.

  3. Click the Details tab.

  4. Click Serial Number in the Field column, highlight the serial number, and then write it down.

  5. Open a command prompt.

  6. Type: certutil -repairstore my "SerialNumber" (SerialNumber is the serial number that you wrote down in step 4.)

  7. In the Certificates snap-in, right-click Certificates, and then click Refresh. The certificate now has an associated private key.

  8. To verify that the issue is resolved, run the Get-ExchangeCertificate cmdlet which should now show the correct certificate.