danblee.com

Tutorials & Knowledge Base Articles for System Administrators who wear many, many hats.

A special Rpc error occurred. Cannot import certificate. A certificate with the thumbprint already exists.

by 2 Comments

Notes

This is an issue found in my working version of Exchange, which is Exchange 2013 CU 11. It may exist elsewhere, but this is all I’ve got to test with.

Problem

Using the Exchange Admin Center, you either tried to import a certificate or complete a certificate request. It may have done nothing on the first attempt, but it gave you this error on the second attempt.

cert-error

Description

What you’re seeing is that you have a cert that was successfully installed on the server the first time around, but the EAC can’t really see it because it’s missing a few things. Namely, you’ll need to tie a private key to the cert, something that completing this cannot do, and you’ll need to give it a friendly name. Both will need to be done before you can see it in the EAC and assign it roles.

Resolution

Resolution 1

Sometimes all you need to do is delete a rendition of the cert that really does exist with the same thumbprint. Most likely, though, you’ll need to use Resolution 2 to fix this problem. But here’s how to delete one.

  1. Log into the server with admin privileges.
  2. Run MMC.exe as an admin.
  3. File > Add\Remove Snap-In to add the Certificates Snap-In.
  4. Go to Certificates > Personal > Certificates.
  5. Double click each certificate and look for the one with the same thumbprint in the Details tab of the certificate.
  6. Delete the certificate.
  7. Try and add the certificate again.

Resolution 2

If you were unable to just delete the cert and try again, you’re going to have to make some changes after you import the certificate. The cert will need a private key and a friendly name.

  1. Follow the steps in Resolution 1 to get to the Certificates list using the MMC.
  2. Find your certificate that was imported but not working. It will most likely be the one with a little key on the icon and the Friendly Name will be <None>.
  3. Double Click the certificate, go to details, double click the Serial, and copy out the Serial.
  4. Open an elevated command prompt and enter the command certutil -repairstore my “your-serial-here” (use the quotes around your serial).
  5. Watch it go, and you’ll now have a little key next to your Certificate, signifying that a private key has been applied to your cert.
  6. Double click the cert and give it a friendly name.
  7. Go back to your EAC and you’ll find that it now has what it needs to show up.
  8. If you had pending request waiting to complete, you don’t need it any more. You completed it.
  9. Mover services over to the new Certificate with the friendly name you gave it and you’re done.

Screenshots

Here’s what running that command will look like in #4

command

And here’s where you can change the Friendly Name, which is required in order to see it properly in the EAC.

friendly-name