PrivateKeyNotAccessible (ES2K7)
CKone
(using New-ExchangeCertificate) for my internet domain (for which I was
getting Event messages). Although I appear to have resolved the initial
problem, it's created a whole new problem. Initially, it presented as:
---
SmtpReceive Event ID: 1037
Inbound direct trust certificate with thumbprint <hex no> has expired. Run
New-ExchangeCertificate to generate a new direct trust certificate.
---
I followed the instructions at
http://technet.microsoft.com/en-us/library/bb510126.aspx, sure enough, no
SMTP service in the Get-ExchangeCertificate list and granted the appropriate
permissions to Network Service on C:\Documents and Settings\All
Users\Application Data\Microsoft\Crypto\RSA\MachineKeys.
Now I get the following error when trying to add the SMTP service using
Enable-ExchangeCertificate:
---
[PS] C:\Documents and Settings\Administrator>Enable-ExchangeCertificate
-Thumbprint <HexNo> -Services:SMTP
WARNING: An unexpected error has occurred and a Watson dump is being
generated:
The certificate with thumbprint <HexNo> was found but is not valid for
usage with Exchange Server (reason: PrivateKeyNotAccessible).
Enable-ExchangeCertificate : The certificate with thumbprint <HexNo> was
found but is not valid for usage with Exchange Server (reason:
PrivateKeyNotAccessible).
At line:1 char:27
+ Enable-ExchangeCertificate <<<< -Thumbprint <hexNo> -Services:SMTP
Does anyone have any ideas? I've Googled the PrivateKeyNotAccessible key
word, and sure enough there is a single match, in the TechNet Russia forums,
which are currently throwing up a System Error when I try to access it...
Thanks in advance
D
JoshP
Exchange server. You will have to rekey your certificate (hopefully your
cert provider allows free rekeys). Your cerfiticate store must have changed
after your created your CSR (i.e. New-ExchangeCertificate).
CKone
Thanks for your reply. I'm not sure what a "CSR" is? However,
Remove-ExchangeCertificate causes the same message as below. Running
Get-ExchangeCertificate | FL * now results in no certificates being returned.
D
JoshP
New-ExchangeCertificate -GenerateRequest -SubjectName "C=ComapanyA,
O=CompanyA, CN=mail.example.com" -DomainName mail.example.com,
autodiscover.example.com, autodiscover.example.local, exchange.example.local,
exchange -FriendlyName "EXCHANGE - SERVICES CERT" -KeySize 1024 -Path
C:\exch_srvc_cert.txt -PrivateKeyExportable:$true
Now use the text located in exch_srvc_cert.txt to recieve a certificate
(through a 3rd party or enterprise CA).
Then,
Import-ExchangeCertificate -Path c:\returned_cert.crt |
Enable-ExchangeCertificate -Services IIS
When you run the New-ExchangeCertificate command, a Certificate Signing
Request is generated in addition to the "private key" for the request is
automatically stored on the exchange server. If you made any changes to the
certificates on your exchange server after you executed the
New-ExchangeCertificate command and before you executed the
Import-ExchangeCertificate command--could lead to the PrivateKey issue you
are seeing.
CKone
Will that solve the problem of the "bad" certificate currently in the
certificate store?
D
JoshP
certificate assigned.
CKone
The following gives the error:
New-ExchangeCertificate : Cannot overwrite the output file
C:\certs\exch_srvc_cert.txt. It may be only readonly.
At line:1 char:24
(I granted everyone Full Control on the c:\certs folder to ensure there
wasn't a permissions problem).
Any ideas?
D
JoshP
c:\documents and settings\all users\application
data\microsoft\crypto\rsa\machinekeys
go to security, select advanced, select the administrators group (which
should already have full access) and change the setting from "this folder
only" to "this folder, subfolders and files".
WorkingHard
"CKone" <CK...@discussions.microsoft.com> wrote in message
news:41CC3335-AA10-4CB8...@microsoft.com...