Hello, I have a problem importing a trusted certificate in Exchange 2007. Here is what I have : cert.chain.crt (the intermediate certification authority from what I understand)cert.csr filecert.crt filecert.pem file (which is a RSA PRIVATE KEY)I don't have any pending certificate request in the Certificates MMC The certificate is provided by SSL247 and is validated by GlobalSign Organization Validation CA - G2 intermediate certification authority. I did the following : import the intermediate certification authority (cert.chain.crt) on my CAS computer using the MMCfrom the Exchange Management Shell :Import-ExchangeCertificate -Path mycert.crtEnable-ExchangeCertificate -Services IIS When I run that last command, I get an error : Enable-ExchangeCertificate : The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server(reason: PrivateKeyMissing). I tried the solution found here : https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1188 but it's not working. When I run certutil -repairstore my "SerialNumber" I get the following error : =============== Certificate 1 ================ (...) No key provider information Cannot find the certificate and private key for decryption. CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808) CertUtil: Access denied.PS C:\Users\Administrator.> From what I understand since the beginning and based on my search, the main problem would be that the Certificate Signing Request has not been issued from my CAS server. I m new to this kind of problematics, any advice would be much appreciated. Thank you, Yoann

Yes that could be the issue, where did you do the cert request from? You need to finish the csr request with the answer file from your CA on the same server you issued the request. Once that's done you can just export the cert with the private key to your CAS server.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hello, Thanks for you answer. It seems that the CSR has been provided by the Certification Authority with the .crt, .pem and chain.crt files (I haven't been the one issuing the request). I found the following command : # Generate a pfx from crt and key with intermediate CA openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt which I translated in my case to openssl pkcs12 -export -out cert.pfx -inkey cert.pem -in cert.crt -certfile cert.chain.crt I then got a pfx file but still the same problem when running Enable-ExchangeCertificate -Services IIS or trying to repair the store... I will ask tomorrow the person who made the request if he had done anything special, but I am sure the CSR hasn't been issued from my CAS server. Another collegue told me that there were 2 ways to make a trusted certificate request : generate a CSR and contact your signin organization (GlobalSign, ...) to get the signed certificateask the signin organization to do all the stuff for you (csr, crt, key) Is this correct or may he be wrong ? Thanks again ! Yoann

You don't need to mess with openssl, when you generate the csr request the private key is used which is on the server you generated from. When the cert comes back from the CA you have to finish the request which will combine with the private key which is why it's typically done on the server it was generated from. You don't need to do the openssl manually to finish the request though you can if you have the private key exported. Just generate the CSR from your CAS server using powershell not IIS and resend to the CA. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Ok thank you, I will try it this way and keep you informed as soon as I have a result :) Yoann

One more point : our certificate is a wildcard certificate, if we issue a CSR from our Exchange Server, will the certificate we receive from the certification authority will work with other services that requires this wildcard certificate ? Thank you.

Well I guess yes as long as I export the cert and private key from my exchange server to import them on a new server, can someone confirm ?

Hi snoopscratchy, Sure, you are right, you could get some information from here. If you use the wildcard CERT, there will be some issue with ActiveSync. Regards! Gavin TechNet Community Support