We use the site Certificates for Exchange to generate a multi-domain certificate. When we did the renewal, the new certificate wouldn’t install because it said PrivateKeyMissing.
So we tried to generate a new certificate request from the Exchange Management Console, but it only generated a .REQ file, not a .CER file. What to do?!
For any other confused occasional Exchange Administrators, here’s what we did.
But the Exchange Management Console doesn’t allow you to generate CER format certificates.
To do this, after a bit of googling (from http://www.digicert.com/csr-creation-microsoft-exchange-2010.htm):
In the Exchange Shell:
New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=UK, l=London, s=London, o=COMPANY, cn=COMPANY" -DomainName exchangeserver.company.com, autodiscover.company.com, servername.company.local, autodiscover.company.local -PrivateKeyExportable:$true
[Replace company.com etc with your own requirements of course!]
This dumps a certificate to the screen which you can copy to clipboard (right-click and select Mark, then select the screen area, then hit enter to copy to clipboard).
Now you need to find your certificate in Certificates for Exchange and “Re-Key” it.
Paste in the CER, and re-download the CRT file.
Now, in Exchange Management console, refresh and you will see your new request listed. Right-click and select “complete certificate request” and the rest is easy.
By the way, if you get stuck in a loop of doom and can’t seem to delete a certificate using
Remove-ExchangeCertificate -Thumbprint BLABLABLA
because you get an error, then you can delete it by running mmc, snap-in the certificate console, and find the certificate (the SHA-1 key is the thumbprint).