Knowledge Base

PrivateKeyMissing when running Enable-ExchangeCertificate

May 25, 2018 in SSL Technical FAQs and Unified Communications Certificates


Enable-ExchangeCertificate : The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:27
+ Enable-ExchangeCertificate -Thumbprint XXXXXXXXX -Services 'IIS'

The above error can as a result of multiple reasons. CSR was created with IIS and attempted to be installed through the Exchange Management Shell (EMS), CSR was created in EMS on another Exchange Server, a damaged certificate, or Windows simply 'forgets' where it placed the PrivateKey for the certificate. It doesn't happen all the time, but sometimes the error can be a nuisance.

Option #1: Repair Damaged Certificate (Windows Server 2003/2008)


  • Open MMC and add the Certificate Snap-In for the Local Computer account.


  • Double-Click on the recently imported certificate.

Note: In Windows Server 2008 it will be the certificate missing the golden key beside it.

  • Select the Details tab.


  • Click on the Serial Number field and copy that string.

Note: You may use CTRL+C, but not right-click and copy.

  • Open up a command prompt session. (cmd.exe aka DOS Prompt)


  • Type: certutil -repairstore my 'SerialNumber' (SerialNumber is that which was copied down in step 4.)


  • After running the above command, go back to the MMC and Right-Click Certificates and select Refresh (or hit F5 in the MMC)


  • Double-Click on the problem certificate. At the bottom of this window (General tab) it should state: 'You have a private key that corresponds to this certificate.'

Note: In Windows Server 2008 there will be a golden key to the left of the certificate, so there is no need to double-click the certificate.

  • Now that the Private Key is attached to the certificate, please proceed to enable Exchange Services via Enable-ExchangeCertificate.



Option #2: Remove and Re-Install Certificate (Windows Server 2003/2008)


  • Verify the certificate doesn't have it's private key.
    In the MMC and double-click the recently imported certificate. (Be sure that you're using the Certificate Snap-In for the Local Computer account!)

Note: In Windows Server 2008 it will be the certificate missing the golden key beside it.

  • Right-Click on the certificate and click Delete.




If any of the above does not work, please contact Microsoft.

Related articles