Create PFX certificate for MS Exchange 2016


My domain,

So I am trying to get a PFX certificate for a Exchange server.
I used the inbiult certificate request tool in exchange to create a certificate request “ExchangeCert2.csr”

I have installed a Bash terminal in Windows and it is running Ubuntu.

Ran this command to generate the certificate.

certbot --manual --csr /mnt/c/temp/ExchangeCert2.csr --preferred-challenges dns certonly

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1):
Performing the following challenges:
dns-01 challenge for
dns-01 challenge for

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: y

Please deploy a DNS TXT record under the name with the following value:


Before continuing, verify the record is deployed.

Press Enter to Continue

Please deploy a DNS TXT record under the name with the following value:


Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Server issued certificate; certificate written to /home/wookie/0001_cert.pem
Cert chain written to 8
Cert chain written to 9


  • Congratulations! Your certificate and chain have been saved at:
    Your cert will expire on 2018-06-28. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt:
    Donating to EFF:

This has generated 3 files


I presume the certificate has been issued correctly?

I then tried to use OpenSSL to convert the PEM key to PFX

openssl pkcs12 -export -out /mnt/c/temp/certificate2.pfx -inkey /home/wookie/0000_cert.pem -in /home/wookie/0000_chain.pem -certfile /home/wookie/0001_chain.pem

unable to load private key
140645832394392:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY

However I cant get this to work with the 3 files created by CertBot. I just keep getting unable to load private key error.

Any help greatly appreciated.

My web exchange server is Exchange 2016 running on Windows Server 2016

I can login to a root shell on my machine yes

I’m using a control panel to manage my site, yes exchange control pannel ECP


This is not correct.

You need to pass the private key that was used to generate the CSR that you passed to Certbot initially.

If you used a tool to generate the CSR, then you need to get the private key from that tool.


Great thanks all sorted now.


Can you please share what you did to get the Private key from the request made in the ECP?


I have figured it out.

Export key in IIS.
Convert key to pem with OPenssl
Used converted key for PFX generation with openSSL


Sorry for the slow reply.
Do you have it working now?
If you need any help let me know.

Cheers Dave


Yes, i got it to work.

Cheers rveupen.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.