Exchange Geek's Weblog

I'm a Geek!

Missing Private Key on Exchange Certificate

Posted by Milind Naphade on 27/01/2010

Today I was playing around with Exchange 2010 Certificates in my labs. My lab contains simple setup as below:

Server Operating System Role
ExchangeDC Windows Server 2003 SP1 DC,GC, CA
Exchange2003 Windows Server 2003 SP1 Exchange 2003 SP2
Exchange2010 Windows Server 2008 R2 Exchange 2010 RTM

In above setup the domain controller is also an Enterprise Root CA. I requested a new certificate from my internal CA and wanted to import it and then enable it for services on my Exchange server 2010 box. Something was going wrong and the certificate didn’t have a private key. After downloading the certificate the certificate had that “You have a private key that corresponds to this certificate.” missing from certificate. Just as shown below


Now the trouble was the pending request in EMC could yet import this certificate but didn’t let me assign it to the services. After spending good 2 hours at my own I found a solution at

So here is the simplest way to overcome this problem.

  • Download the certificate and store it at some place on the server.
  • Click Start –> Run and then type MMC, press Enter.
  • In the MMC Snap In click File Menu and then select Add/Remove Snap-in…
  • Select Certificates.
  • Click Add button.
  • Select Computer account from the popped up dialog box.
  • Click Finish and click OK
  • Expand Certificates –> Personal –> Certificates


  • Right click in the right hand side pane of the MMC Snap-in and select All Tasks –> Import…


  • Specify the file path in the wizard that will pop up and Finish the wizard.
  • You should see the certificate that has the little golden key icon missing. The other certificate you may see is the self-signed certificate generated during exchange installation.


  • Now double click on the newly imported certificate and select the Details tab.
  • Click Serial Number and write down this value or simply copy and paste it into a notepad file. Please note that you will not be allowed to copy using mouse. You can use Ctrl+C instead.


  • Open command prompt and type certutil –repairstore my “serial number of certificate” and press enter.


  • Now, refresh the Certificates MMC and you should see the private key paired with the certificate.


  • In Certificates MMC right click on the same certificate and select All Tasks –> Export…


  • Export this certificate into a .pfx file with below options selected during the export wizard.
  • Yes, Export the private key on Export Private Key page.
  • Include all certificates in certification path if possible on Export File Format page.
  • Export all extended properties on Export File Format page.
  • Enter the password.
  • Select the path where the pfx file will be stored and complete the wizard.
  • Now open EMS and and run the following cmdlet.
  • [PS] C:\>Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "C:\Users\Administrator.EXCHANGE\Desktop\exchangecert.pfx" -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

    The credentials prompt will pop up. Enter the credentials as the currently logged on user and the password that was specified for the pfx file during export. If the credentials are correct the output should be as below:


    Next, you can enable this certificate for the services you want to use it for. Again, simply open the EMS and run Enable-ExchangeCertificate -Server ‘EXCHANGE2010’ -Services ‘IMAP, POP, IIS, SMTP’ -Thumbprint ‘E7DD3356F1DC4359D9AAFD18BC7E36C06C7FC418’

    8 Responses to “Missing Private Key on Exchange Certificate”

    1. Ratish said

      Remember doing this n number of times. Thanks for posting this… 🙂

    2. Sen said

      Explained great…was having this annoying problem and after googling enough, found this link and it took care of my issue..

    3. What a great read. Thanks.

    4. Nathan said

      You spelled “repairstore” wrong in the command as posted, which might cause people copy and pasting some issues 😉

    5. David Thabet said

      You are amazing!!! That just saved me hours of work and money. I thought I had to start the certificate process over again with the vendor…phew!!

    6. Thanks for pointing that out Nathan. I have corrected the spelling mistake now.

    7. I am glad that my post could help you.

    8. […] certificate expired today.  I used articles from telnetport25 and msexchangegeek as resources, but I thought it would be helpful to compile the entire procedure in one […]

    Sorry, the comment form is closed at this time.

    %d bloggers like this: