Installing Certificate on Exchange 2010 "Private Key Missing"

dpollard · August 24, 2017, 5:42am

Hi Guys,
I’m trying to install a certificate on my Exchange 2010 server
The OS is Windows 2011 Small Business Server 2011 (which is basically like Windows Server 2008 R2 with extra stuff) I’m moving from the issuer StartCom as it appears they have had their trusted root certificate revoked.

I have been following This Article which goes into quite a bit of detail.

I have used Letsencrypt-win-simple to create and download my new certificate.

Following the above document when I get down to the step "Assign a certificate to all Exchange-related services:"
I get the following error message. “Private Key Missing”

[PS] C:\central_ssl>enable-ExchangeCertificate -Thumbprint 925E26926FEA0E1B7852535CF31CFE541274E1D4 -Services POP,IMAP,IIS,SMTP
The certificate with thumbprint 925E26926FEA0E1B7852535CF31CFE541274E1D4 was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing).
+ CategoryInfo : NotSpecified: ( [Enable-ExchangeCertificate], InvalidOperationException
+ FullyQualifiedErrorId : 78D6D46B,Microsoft.Exchange.Management.SystemConfigurationTasks.EnableExchangeCertificate

Some searching suggests I need to export the certificate and import it again. I first tried to do this with a script but ran into problems and thought I’m getting a bit far away from my actual goal.

When I look in the certificate manager I can see the certificate in Certificates(Local Computer) -> Personal -> Certificates store but the little gold key on the icon is missing. Where the expiring certificate from my old provider has the gold key. If I try and export the certificate there is no option to include the private key. (as you would expect)

I then tried creating a new certificate with “Lets Encrypt Win Simple” with out the -SAN option in the hope that only having a single domain name in my certificate would solve the problem. (Not)
I still see a new certificate in the certificate store with out the little gold key on the icon.

Any ideas what I’m doing wrong?
David

Patches · August 24, 2017, 8:10am

Is letsencrypt-win-simple putting the certificate in the Windows certificate store for you or are you doing something to import it?

EDIT: I guess you followed the instructions.

Import-ExchangeCertificate -Server <Exchange2010> -FileData ([Byte[]]$(Get-Content -Path "C:\Central_SSL\webmail.domain.com.pfx" -Encoding byte -ReadCount 0))

If you find the file you are importing and double-click on it, does it say it has a private key?

rg305 · August 24, 2017, 11:57pm

The Article you followed shows:
The private/public keys will be stored here:
$env:userprofile\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org

Have you looked there?

dpollard · August 25, 2017, 3:30am

Hi Patches,
Yes I followed that step in the instructions.
When I double click the pfx file it runs the windows Certificate Import Wizard.
The wizard asks me for a password but I can’t see that I was asked to give it one in the generation process.

The top of the wizard says "To maintain security, the private key was protected with a password"
Looking in the Letsencrypt.exe.config file I see this setting

  <setting name="PFXPassword" serializeAs="String">
    <value />
  </setting>

So that would appear to me that a password is not set.
And that the Private key is exportable

  <setting name="PrivateKeyExportable" serializeAs="String">
    <value>True</value>
  </setting>

If I try anything except as the password I get "The password you entered is incorrect"
If I leave the password blank and tick “Mark this key as exportable” and "Include all extended properties"
I get a success message but I can’t find the certificate any where in the certificate store.

So I’m not sure if the pfx file I generated is any good?

Thanks for your advise.
David

Patches · August 25, 2017, 3:56am

My apologies for the bad instructions. You have to right-click on the pfx file and hit Open, then double-click on the leaf certificate in the window that appears.

dpollard · August 25, 2017, 4:06am

Hi rg305,
I missed that bit in the article. I guess I was failing at the step “Assign a certificate to all Exchange-related services:” Which is before I get to that bit about the public/private key.

When I look in that folder I see 18 files and grouped at 3 or different times throughout the day which was probably one for each of my attempts. I’m not sure what I need to do with them now.
Some are .pem some are .json some are .der two files have no extension. I’m assuming it is going to be one of the 9 .pem files that I need. Probably the newest ones.
Of those they are named.
mydomainname.au-chain.pem
mydomainname.au-crt.pem
mydomainname.au-csr.pem
mydomainname.au-au-key.pem

There are no .pfx files in there.

So I’m still a bit stuck on what to do next.
Thanks
David

dpollard · August 25, 2017, 4:10am

Hi Patches,
When I right click there is no “Open” option. Just "Open With"
The bold option is “Install PFX” which is the same as double click.

Perhaps that option is from an newer OS than mine?

David

dpollard · August 25, 2017, 4:49am

OK I ran the LetsEncrypt.exe again and I think this is the critical output.

[INFO] Authorizing identifier campsie.vjray.com.au using http-01 challenge
[INFO] Answer should now be browsable at http://campsie.vjray.com.au/.well-known/acme-challenge/kf0KUQrAclkfrDI8rywx3gYD8Ww1tJpBB99D3cjy5Y4
[INFO] Authorization result: valid
[INFO] Requesting certificate: campsie.vjray.com.au
[INFO] Saving certificate to C:\Users\Administrator2\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\campsie.vjray.com.au-crt.der
[INFO] Saving issuer certificate to C:\Users\Administrator2\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\ca-0A0141420000015385736A0B85ECA708-crt.pem
[INFO] Saving certificate to c:\Central_SSL\campsie.vjray.com.au.pfx
[INFO] Updating new Central SSL Certificate
[WARN] Unable to configure server software.
[INFO] Adding renewal for [Manual] [1 binding - campsie.vjray.com.au @ %SystemDrive%\inetpub\wwwroot]

I think my problem is I don’t know how to import the certificate using the exchange commandlet when the pieces of the certificate are in different folders.

Patches · August 25, 2017, 4:49am

I would go ahead and go into the Exchange Management Console and go to Server Configuration, delete your old certificate with the missing key, and then try and import that pfx file with the graphical console instead.

I wanted to verify that it really had a key first, but it seems more likely that something went wrong importing it vs the pfx file being bad itself.

dpollard · August 25, 2017, 5:22am

Hi Patches,
I tried to import the .pfx file in the Exchange 2010 GUI. Now the GUI requires a password.
I didn't specify a password anywhere in letsencrypt.exe so I don't know what it might be?
I'm guessing it is blank but the gui won't accept a blank password.

I found an article here with guy having similar problems.

Do you think I need to jump through those hoops as well or can I generate a new certificate with letsencrypt.exe and include a password?

David

Patches · August 25, 2017, 5:49am

It’s the PFXPassword option in letsencrypt.exe.config

dpollard · August 25, 2017, 5:52am

OK I edited the letsencrypt.exe.config file and included a password in the PFXPassword setting I spotted earlier.
Generated another Certificate PFX file and this time I could import it using the Exchange GUI.
I had tried adding a password before but the Exchange Command line still wouldn’t import it.

It only has IMAP and POP services assigned to it at the moment but I have seen instructions somewhere to add IIS and SMTP services to it.
I think I may be over the hump now

Added the other services in a snap. A few simple tests and it looks like my new certificate is in use.
So hopefully the automatic renew stuff will work in around 60days.
Thanks for your assistance!
David

Patches · August 25, 2017, 8:05am

To specify a PFX password with PowerShell:

$PfxPassword = ConvertTo-SecureString "yourpassword" -AsPlainText -Force
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\import.pfx -Encoding byte -ReadCount 0)) -Password:$PfxPassword

Your certificate will automatically renew but won't be automatically imported into Exchange. If you can work out how to import it into PowerShell you can put that into an install script and fully automate the process:

rg305 · August 25, 2017, 6:44pm

compare (you can use type or more or open with notepad/worpad)
mydomainname.au-crt.pem
with
mydomainname.au-chain.pem
If the crt file doesn’t contain the chain file content and the chain file doesn’t contain the crt file content then combine them (crt + chain) and then:
create PFX file:
openssl pkcs12 -export -in FILE.FROM.ABOVE -inkey mydomainname.private.key.pem -out mydomainname.pfx

Word of caution: When using certs with IIS always import cert using IIS.

dpollard · August 28, 2017, 7:49am

OK I think I have it sorted now.
I won’t really know until my certificate expires and the renew process runs end to end.
Just in case some other poor unfortunate comes along and wants to see my solution.

After following the instructions to create the certificate here are the commands to renew and install.

Task Scheduler Command
C:\LetsEncrypt\letsencrypt.exe
Additional Arguments
–renew --baseuri “https://acme-v01.api.letsencrypt.org/” --script C:\LetsEncrypt\InstallCertificate.cmd

InstallCertificate.cmd
powershell.exe -PSConsoleFile "C:\Program Files\Microsoft\Exchange Server\V14\Bin\ExShell.Psc1" -command ". 'c:\letsencrypt\InstallCertificate.ps1'"

PowerShell Script

$LogFile = "c:\LetsEncrypt\LetsEncrypt.log"
$startTime = Get-Date
Write-Output "InstallCertificate.ps1		BEGIN	  $startTime" | Out-File -Encoding ascii -append -filepath $LogFile

Write-Output "InstallCertificate.ps1		Stage 1:  Define Password" | Out-File -Encoding ascii -append -filepath $LogFile 
    $PfxPassword = ConvertTo-SecureString "YOURPASSWORD" -AsPlainText -Force 

    Write-Output "InstallCertificate.ps1		Stage 2:  Import Certificate into Exchange"  | Out-File -Encoding ascii -append -filepath $LogFile
    try
    {
    	Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path C:\Central_SSL\campsie.vjray.com.au.pfx -Encoding byte -ReadCount 0)) -Password:$PfxPassword 
    	Echo "InstallCertificate.ps1		 		  Success" | Out-File -Encoding ascii -append -filepath $LogFile
    }
    Catch
    {
    	Echo $_.Messages | Out-File -Encoding ascii -append -filepath $LogFile
    }

    Write-Output "InstallCertificate.ps1		Stage 3:  Retrieve new certificate thumbprint" | Out-File -Encoding ascii -append -filepath $LogFile
    $thumbprint = Get-exchangecertificate -DomainName campsie.vjray.com.au | select -expand Thumbprint;
    write-output "InstallCertificate.ps1				  Thumbprint=$thumbprint" | Out-File -Encoding ascii -append -filepath $LogFile

    Write-Output "InstallCertificate.ps1		Stage 4:  Modify Exchange Certificate Assigned ServicesCertificate"  | Out-File -Encoding ascii -append -filepath $LogFile
    try
    {
    	Enable-ExchangeCertificate -Thumbprint $thumbprint -Services POP,IMAP,IIS,SMTP;
    	Echo "InstallCertificate.ps1		 		  Success" | Out-File -Encoding ascii -append -filepath $LogFile
    }
    Catch
    {
    	Echo $_.Messages | Out-File -Encoding ascii -append -filepath $LogFile
    }

    $endTime = Get-Date
    Write-Output "InstallCertificate.ps1		END		  $endTime" | Out-File -Encoding ascii -append -filepath $LogFile

system · September 27, 2017, 7:49am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.