Monday, December 6, 2010

Repairing an Invalid Certificate (for Exchange or Lync/OCS)

Certificates are a part of Exchange and OCS/Lync, there is no getting away from them.  Because of this, I have seen numerous issues not only around the names in a certificate (another future post), but also with provisioning certificates. 

Exchange and OCS/Lync are programmed to not allow the use of invalid certificates.  The two top reasons that I see invalid certificates have to do with:

  • Missing private key
  • Certificate Chain issues

Missing Private Key

There are several reasons that a certificate can have a missing private key.  These include, but are not limited to:

  • Did not complete the pending certificate request from the originating server
  • Import a .cer or .crt file into the certificate store
  • Export a certificate without including the private key and then import on a different server

So now that we have a certificate without the private key, what do we do now?  Well, you can either reissue the certificate and work with your CA to get a new certificate or we can try to repair the certificate’s private key.  The later is the path of least resistance.  So let’s look at that process.

By opening the troubled certificate in the Certificates MMC Snap-in, we can see that the certificate does not have the private key.

Cert - no PK - markup

To repair the key, we will need to get the certificate’s Serial Number.  We can do that from the Details Tab of the certificate.

Cert - Serail num

Now we will open a command prompt and run the following command:

certutil –repairstore my “SerialNumber”

Cert - CMD Repairstore

After running the command and refreshing the Certificates MMC Snap-in, we can reopen the troubled certificate and see that it now has a valid private key:

Cert - with PK - markup

Now the certificate will be available to select in Exchange or OCS/Lync to utilize.

If this process does not work, then you will have to reissue your certificate and request a new certificate from your CA.

Certificate Chain Issue

The other main issue with invalid certificates have to do with getting the Certificate Chain installed appropriately.  Most certificate chain issues can be viewed from the Certificate Path tab of the certificate properties.  CA’s usually have detailed instructions and downloads of the chains.  I suggest you work with the CA to install the certificate chain properly as they are all different and have different requirements.

Digicert has a great web-based utility to test and uncover certificate chain related issues.  Navigate to:

http://www.digicert.com/help

I hope this helps!  I know this has saved me quite a bit of time over the years.

37 comments:

  1. Replies
    1. Great Article Cloud Computing Projects

      Networking Projects

      Final Year Projects for CSE

      JavaScript Training in Chennai

      JavaScript Training in Chennai

      The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      Delete
  2. I always thought that error of invalid certificates occur due to wrong certificate or missing certificate i never knew about Certificate Chain issues.

    ReplyDelete
  3. Great.
    Thanks !

    ReplyDelete
  4. Cheap Wildcard SSL - Cheap SSL certificates (including wildcard and multi-domain (SAN) SSL certificates) from Comodo, GeoTrust, Thawte and Symantec (VeriSign)

    ReplyDelete
  5. You just made something that I thought was so difficult be, truly, so easy! Thanks for the post!

    ReplyDelete
  6. I read above post and like it. Really, this is best information for those person suffering certificate problem.

    Thanks

    Digital Signature Certificate

    ReplyDelete
  7. Thank you for providing the valuable information to us.
    Digital signature

    ReplyDelete
  8. See InterSSL for SSL certificates, e.g. PositiveSSL wildcard, RapidSSL, etc.

    ReplyDelete
  9. Thank you for providing the valuable information to us. nice post can we use digital signature for income tax password unlock

    ReplyDelete
  10. Mukapoker memberikan Deposit IDN Poker termurah melalui beberapa bank lokal di Indonesia. Kunjungi situs resmi kami sekarang juga dan dapatkan juga bonus jutaan rupiah setiap harinya saat telah menjadi member kami.

    https://standresjournals.org
    http://acccsports.org
    http://stevejordan.net
    http://yaltachekhov.org
    http://humanf.org

    ReplyDelete
  11. This comment has been removed by the author.

    ReplyDelete
  12. Nice article
    Thanks for sharing us
    Please support us
    201 Know about cities locations map timezone

    ReplyDelete
  13. Dapatkan ID Sbobet serta link alternatif taruhan judi bola online sekarang juga dan dapatkan pula bonus jutaan rupiah setiap harinya saat telah menjadi anggota member Sukaslot.

    ReplyDelete
  14. WOW! I Love it...
    and i thing thats good for you >>


    MOVIE Trailer Thank you!

    ReplyDelete
  15. Fantastic blog, You have performed an impressive job and our entire group might be thankful to you.

    Here My HomePage : BC Wrestling ,Judi Euro 2020, Cara Main Joker123

    ReplyDelete
  16. Superb and really very good informative post. Contact for Digital Signature Certificate in Delhi at lowest price.

    ReplyDelete