Certificates are a part of Exchange and OCS/Lync, there is no getting away from them. Because of this, I have seen numerous issues not only around the names in a certificate (another future post), but also with provisioning certificates.

Exchange and OCS/Lync are programmed to not allow the use of invalid certificates. The two top reasons that I see invalid certificates have to do with:

  • Missing private key
  • Certificate Chain issues

Missing Private Key

There are several reasons that a certificate can have a missing private key. These include, but are not limited to:

  • Did not complete the pending certificate request from the originating server
  • Import a .cer or .crt file into the certificate store
  • Export a certificate without including the private key and then import on a different server

So now that we have a certificate without the private key, what do we do now? Well, you can either reissue the certificate and work with your CA to get a new certificate or we can try to repair the certificate’s private key. The later is the path of least resistance. So let’s look at that process.

By opening the troubled certificate in the Certificates MMC Snap-in, we can see that the certificate does not have the private key.

Cert - no PK - markup

To repair the key, we will need to get the certificate’s Serial Number. We can do that from the Details Tab of the certificate.

Cert - Serail num

Now we will open a command prompt and run the following command:

certutil –repairstore my “SerialNumber”

Cert - CMD Repairstore

After running the command and refreshing the Certificates MMC Snap-in, we can reopen the troubled certificate and see that it now has a valid private key:

Cert - with PK - markup

Now the certificate will be available to select in Exchange or OCS/Lync to utilize.

If this process does not work, then you will have to reissue your certificate and request a new certificate from your CA.

Certificate Chain Issue

The other main issue with invalid certificates have to do with getting the Certificate Chain installed appropriately. Most certificate chain issues can be viewed from the Certificate Path tab of the certificate properties. CA’s usually have detailed instructions and downloads of the chains. I suggest you work with the CA to install the certificate chain properly as they are all different and have different requirements.

Digicert has a great web-based utility to test and uncover certificate chain related issues. Navigate to:


I hope this helps! I know this has saved me quite a bit of time over the years.