RE: PrivateKeyNotAccessible (ES2K7)
- From: JoshP <JoshP@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 13 Dec 2007 07:28:01 -0800
Here's your process (ex. for CompanyA with OWA etc. at mail.example.com:
New-ExchangeCertificate -GenerateRequest -SubjectName "C=ComapanyA,
O=CompanyA, CN=mail.example.com" -DomainName mail.example.com,
autodiscover.example.com, autodiscover.example.local, exchange.example.local,
exchange -FriendlyName "EXCHANGE - SERVICES CERT" -KeySize 1024 -Path
C:\exch_srvc_cert.txt -PrivateKeyExportable:$true
Now use the text located in exch_srvc_cert.txt to recieve a certificate
(through a 3rd party or enterprise CA).
Then,
Import-ExchangeCertificate -Path c:\returned_cert.crt |
Enable-ExchangeCertificate -Services IIS
When you run the New-ExchangeCertificate command, a Certificate Signing
Request is generated in addition to the "private key" for the request is
automatically stored on the exchange server. If you made any changes to the
certificates on your exchange server after you executed the
New-ExchangeCertificate command and before you executed the
Import-ExchangeCertificate command--could lead to the PrivateKey issue you
are seeing.
"CKone" wrote:
Josh.
Thanks for your reply. I'm not sure what a "CSR" is? However,
Remove-ExchangeCertificate causes the same message as below. Running
Get-ExchangeCertificate | FL * now results in no certificates being returned.
D
"JoshP" wrote:
You are going to have to delete the existing key and regenerate a CSR on your
Exchange server. You will have to rekey your certificate (hopefully your
cert provider allows free rekeys). Your cerfiticate store must have changed
after your created your CSR (i.e. New-ExchangeCertificate).
"CKone" wrote:
I'm experiencing an odd problem since I generated an Exchange certificate
(using New-ExchangeCertificate) for my internet domain (for which I was
getting Event messages). Although I appear to have resolved the initial
problem, it's created a whole new problem. Initially, it presented as:
---
SmtpReceive Event ID: 1037
Inbound direct trust certificate with thumbprint <hex no> has expired. Run
New-ExchangeCertificate to generate a new direct trust certificate.
---
I followed the instructions at
http://technet.microsoft.com/en-us/library/bb510126.aspx, sure enough, no
SMTP service in the Get-ExchangeCertificate list and granted the appropriate
permissions to Network Service on C:\Documents and Settings\All
Users\Application Data\Microsoft\Crypto\RSA\MachineKeys.
Now I get the following error when trying to add the SMTP service using
Enable-ExchangeCertificate:
---
[PS] C:\Documents and Settings\Administrator>Enable-ExchangeCertificate
-Thumbprint <HexNo> -Services:SMTP
WARNING: An unexpected error has occurred and a Watson dump is being
generated:
The certificate with thumbprint <HexNo> was found but is not valid for
usage with Exchange Server (reason: PrivateKeyNotAccessible).
Enable-ExchangeCertificate : The certificate with thumbprint <HexNo> was
found but is not valid for usage with Exchange Server (reason:
PrivateKeyNotAccessible).
At line:1 char:27
+ Enable-ExchangeCertificate <<<< -Thumbprint <hexNo> -Services:SMTP
Does anyone have any ideas? I've Googled the PrivateKeyNotAccessible key
word, and sure enough there is a single match, in the TechNet Russia forums,
which are currently throwing up a System Error when I try to access it...
Thanks in advance
D
- Follow-Ups:
- RE: PrivateKeyNotAccessible (ES2K7)
- From: CKone
- RE: PrivateKeyNotAccessible (ES2K7)
- References:
- PrivateKeyNotAccessible (ES2K7)
- From: CKone
- RE: PrivateKeyNotAccessible (ES2K7)
- From: JoshP
- RE: PrivateKeyNotAccessible (ES2K7)
- From: CKone
- PrivateKeyNotAccessible (ES2K7)
- Prev by Date: OWA Keeps Prompting for password.....
- Next by Date: Re: internet headers on some internal emails
- Previous by thread: RE: PrivateKeyNotAccessible (ES2K7)
- Next by thread: RE: PrivateKeyNotAccessible (ES2K7)
- Index(es):
Relevant Pages
|
