While trying to import a 3rd-party SSL certificate into Exchange I received the following error.
This was odd because it was my first time running through the import process on this server. Puzzled, I refreshed the Exchange Admin Center. As expected, no new certificates showed up. Just the default out-of-the-box certificates that come preinstalled with Exchange.
As a sanity check, I confirmed with PowerShell.
C:\> Get-ExchangeCertificate Thumbprint Services Subject ---------- -------- ------- 87957CA95B833615C71F7735853CE811F96E6117 IP.WS.. CN=EX16-02 40B938448B42F1D596E9DBB0EC666D8666725E07 ....... CN=WMSvc-EX16-02 1C6E03C3BDCBFD76FAA1375B7D2B4ED1291A0FCF ....S.. CN=Microsoft Exchange Server Auth Certificate
But as expected 559642FCD3DD4769D79A457D11875AF9E6E49F3C was not returned.
I then decided to check the Certificates MMC. I fired up MMC, added the Certificates snap-in using Computer Account >> Local Computer. Then I checked the Personal >> Certificates. To my surprise, I saw my certificate and the thumbprint matched.
This was odd. It had somehow made it into the MMC but Exchange couldn’t see it. Even odder it was missing its private key.
How to fix “A certificate with the thumbprint already exists”
From within the Certificates MMC, right-click the certificate and select Delete from the context menu. Click Yes to confirm.
Verify the certificate has been removed from the Certificates MMC. Now repeat your import process through either the Exchange Admin Center or PowerShell. This time it should complete successfully.
I am curious if anyone else has run into this issue. Drop a comment and let me know. Did you use a similar fix?
Thank you for this article and all comments. I had the same issue but resolved it with importing cer through ECP with .PFX along with password. This method worked.
Tried importing .cer but it would not take it and I assume possibly because of missing Friendly Name.
Hi Gladki,
I believe it’s because the CER file does not contain the private key. Only the PFX.
Thanks this work perfectly for me.
Thanks for the tip! Indeed remove from mmc and add certificate by EMS. But also add a Friendly name to the certificate. Otherwise it did not show in EMS.
Cheers,
Steven
your solution worked for me… thnx!
I see the same error message when I renewed my Exchange 2016 cert. Intermediates installed ok. But trying to import the ssl is a vicious cycle that always leads back to this thumbprint message . Stumped, and may have to call tech help. Would adding the renewal cert as a new one be a quicker solution?
I encountered this issue as well. The certificate seems to have imported to the certificate store but not updated in Exchange. The solution worked for me as well.
Had this issue too. Thanks for the post. I’m pretty sure another Sys Admin here had double-clicked the certificate and that’s what installed it in the Personal certificates on the local computer. After deleting, it imported with no issues. Thanks for the post!
For us we had the same problem, we completed the CSR using the return from GlobalSign and it succeeded by didnt change its status. A repeat gave us the “This thumbprint already in use” error.
The solution here was that we viewed the properties of the imported certificate from within MMC and gave it a friendly name, now we have a duplicate in Exchange view, one is valid and the other is stiull pending.
I assigned IIS to the certificate and the webmail is now using this.
Happy dayz
These instructions didn’t work for me, but the following did:
1. Try to complete the pending request again and it’ll say the thumbprint already exists.
2. CTRL-C copy the error message to clipboard, paste into notepad, then recopy the thumbprint ID.
3. Open a command prompt as administrator and run:
certutil -repairstore My “paste your thumbprint in here”
It successfully completed the repair. A refresh of the EMC showed the cert as valid.
This worked for me. Thank you!
This worked for me. The new cert and old cert had the same private key causing this issue.
This helped me as well!
Had to do some weird delete/readding. I think renaming the friendly name in MMC before running the utility made this work.
I had the same issue but im trying to figure out how the cert was in the store in the first place. Either way, if you import the exported .pfx with the private key it works first time. If you import the .cer without the key, you will get exactly what you wrote about.
Verry Good The problem is fixed
also i had same problem it was realy strange.
Thank you to showed me to point.
We are running into the same issue. It seems in my case the import cert from the EMC finishes but doesn’t show. When you look in the MMC you see the certificate there without a friendly name. I edited the friendly name on a working cert and it reflected in the EMC. I exported the cert from a working server (from the mmc) and imported via EMC and this resolved my issue.
I wonder if the missing friendly name is causing the issue?
Thanks! This worked for me.
I verified the certificate by thumbprint before deleting it from mmc.
This worked for me. Thanks
Hi I am sailing on the same boat, I have deleted certificate from MMC & try to import the same but no charm
Hmm. Deleting from MMC worked for me. And you confirmed the one you deleted in the MMC had the same thumnprint? I wonder if there are other instances of it in your MMC.
Good and useful article Gareth, thanks for sharing. I too ran into it. If the cert does not have a private key then it doesn’t show as available to assign it to services in Exchange, but it *does* show in the Certificates MMC. Removing it in the Certificates MMC and importing it with the private key via EMS fixes it.
Glad you like it Zoltan! Good info to know on the private key. Thanks!
The only oddity is how that certificate got on the server without a private key in the first place.
@zolton : I too have ran into the same issue, but am not able to understand, what you mean by “importing it with the private key via EMS fixes it.”. Can you please make it clear. Actually am new into Exchange Server and also first time playing with cert files.
Currently my status is that, when i import the cert file domain.cer its not showing in exchange servers certs, but the same is showing in MMC under personal certs. I am able to remove it, but how should i import now. Which format of file should be imported. I have tried with .p7b but its asking for password. Advice please.
Followed: https://www.godaddy.com/help/exchange-server-2013-install-a-certificate-4774
— Able to Import Intermediate Certificate without error
— Installed the proper Exchange SSL Certificate, but it did not list when Completed. I did not specify a Private Key either.
— Installing SSL cert again erroed that the Thumbprint of the Cert is already installed.
— Used MMC and able to Delete Certificate from Personal store
— Exported SSL Certificate from original Exchange Server (same OS), Added a Password to the Certificate, and exported successfully to UNC Path
— Import Excahnge Certificate, Selected the newly created Certificate file from above export, used Password set above after UNC path, Import was successful, and now able to view SSL Certificate from ECP
Thanks for the quick fix!
Thanks for the info. This resolved my issue for the other two mailbox servers in my DAG. Once the cert imported I had to check IIS and SMTP, then it prompted to overwrite SMTP. I then deleted the expiring cert.
Jitnisha,
Sorry for the late reply. The point is that your cert must also include the private key in order to be usable by Exchange. If you import a cert that doesn’t have the private key then you end up with what you see.
It looks like you generated the cert request on another computer, you imported the cert, then you exported it in order to transfer it to Exchange (that’s what I understand from your description). Well, in order to make it work with Exchange, you must:
1. Mark the private key as “exportable” when you generate the cert request
and
2. You must export the cert with the private key when you’re transferring it to Exchange.
Give it a try and you’ll see it works.
Another option is to generate the cert on the Exchange server itself. CAVEAT: use the -PrivateKeyExportable parameter with the New-ExchangeCertificate command, otherwise you can’t transfer the cert to other Exchange servers that you may want to add later to your infrastructure.
Cheers,
Zoltan