I was trying to renew my UCC certificate for my Exchange 2010 server. All was going fine until I tried to enable the certificate. I got the following error message:
Enable-ExchangeCertificate : The certificate with thumbprint *** was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing). At line:1 char:27 + Enable-ExchangeCertificate -Thumbprint *** -Services "IIS"
- Open MMC and add the Certificate Snap-In for the Local Computer account.
- Double-Click on the recently imported certificate.
- Select the Details tab.
- Click on the Serial Number field and copy that string.
- Open up a command prompt session. (cmd.exe aka DOS Prompt)
- Type: certutil -repairstore my “SerialNumber” (SerialNumber is that which was copied down in step 4.)
- After running the above command, go back to the MMC and Right-Click Certificates and select Refresh (or hit F5 in the MMC)
- Double-Click on the problem certificate. At the bottom of this window (General tab) it should state: “You have a private key that corresponds to this certificate.“
- Now that the Private Key is attached to the certificate, please proceed to enable Exchange Services via Enable-ExchangeCertificate.
Note: In Windows Server 2008 it will be the certificate missing the golden key beside it.
Note: You may use CTRL+C, but not right-click and copy.
Note: In Windows Server 2008 there will be a golden key to the left of the certificate, so there is no need to double-click the certificate.
I’ve been deploying Exchange 2010 more and more now. Most of them are single server installations or at the very least they only have one server available for exchange. Below are a few tricks I’ve found that help in the deployment.
To reduce the load on the server and the amount of Non-Delivery Reports sent by the server (which can get you on blacklists) I strongly recommend that you use Recipient Validation. This will allow Exchange 2010 to reject unknown recipients immediately rather than let your server accept the message and attempt to deliver it and fail. Also, while Microsoft has documentation on how to do this, it is all written with the assumption that you’re using/have an Edge Transport Server. This is how to do it on a Hub Transport server.
First open the Exchange Management Shell
Change the directory to:
C:\Program Files\Microsoft\Exchange Server\V14\Scripts
Run the following command:
Restart the Exchange Transport service.
After it restarts you need to tell the service what your internal SMTP servers are, even if you only have one you have to specify it.
Set-TransportConfig -InternalSMTPServers 192.168.254.200
Where 192.168.254.200 is the internal IP of your server.
Last but not least you want to enable Recipient Validation you can do that with this command:
Set-RecipientFilterConfig -RecipientValidationEnabled $true
You’re all set! You can test it out with nwtools.com or some other tool of your choosing.
I find that this gets skipped a lot. By default your server is probably not reporting your external mail server’s address. This should be the same address that the reverse DNS is reporting. To change this you must do it in the shell. It can be achieved with this command:
Set-ReceiveConnector "From the Internet" -Banner "220 mail.contoso.com"
You must include 220, however, you can change everything else after.
Hope this helps!