Exchange 2007 Private Key Missing

Error message: "The certificate with thumbprint... was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing)."

We are aware of two possible reasons for this error message. The first reason is that your private key was lost, deleted, or never existed on the server in the first place. This makes it so that you cannot enable your certificate files for Exchange.

The second reason doesn't have a clear cause. Sometimes administrators get this error even when the entire Exchange 2007 setup is correct but the private key file somehow became corrupted and unusable by Exchange.

Luckily, both are easily resolved.

Background

An SSL Certificate is an easy way to refer to two distinct but related files called a public and private key. These files are usually combined in some way on your server; for example in a .p12, .pfx, or keystore file.

When you create a certificate request you actually create two things: A private key, which remains safe on your server, and a Certificate Signing Request (CSR), which is a data file that contains the information a Certificate Authority like DigiCert® needs to create a public key to match your private key without compromising the private key itself.

When your certificate is installed properly on the server, the certificate is paired with the corresponding private key from which your CSR was generated. In the case of most Microsoft installations, your server will not let you install a certificate file that does not match the private key.

What Do I Do?

If your private key is lost or damaged you will have to start over by creating a new CSR.

Reissuing DigiCert certificates is actually really easy as long as you use the same common name in the request. First, create a new CSR on your server. Then log into your DigiCert Management Console, click the order number, and click Reissue.

What Caused the Problem in the First Place?

It's hard to make a general statement, but the most common cause of this issue is that a server admin imported the .crt/.cer/.p7b SSL Certificate files through MMC and not through the Exchange command line or IIS where the request was generated.

Importing stand-alone certificate files through MMC does not associate those files with their private key. SSL Certificates can only be imported via MMC if they have already been installed to their private key and then backed up to a .pfx file.

Another common cause for this problem is that an admin correctly imported the certificates to one server but then backed up the certificate files to a .pfx without backing up the private key. If you are in this situation, we recommend that you learn how to properly export/import certificate files in Exchange.

Finally, if a new certificate request is generated on your Exchange server before your first certificate was installed, the private key for the initial request will be deleted automatically by your server.

Are There Any Other Fixes?

In rare occasions where none of the above explanations apply to you and you were not able to diagnose the issue, run the certutil -repairstore my "YourSerialNumber" command (quotes included). If your private key was somehow corrupted but is still on the server, this command may resolve the issue.