I've been given the task to update the certificate using by the Hybrid Exchange connection between a CRM 2016 on-prem enviroment to Exchange Online.

I sucessfully updated the certificate used by IFD and that is working fine.

I've been following the guide: Connect Dynamics 365 (on-premises) to Exchange Online | Microsoft Docs

I am using a CA SSL certificate (wildcard certificate)

I've had MS on a call to try and fix it, they suggested I use a different certificate to the one i used for IFD, so i got a new one issued but I still get an error.

However, I get an error following the powershell command:

$CertificateScriptWithCommand = “.\CertificateReconfiguration.ps1 -certificateFile c:\Personalcertfile.pfx -password personal_certfile_password -updateCrm -certificateType S2STokenIssuer -serviceAccount contoso\administrator -storeFindType FindBySubjectDistinguishedName”

Invoke-Expression -command $CertificateScriptWithCommand

I get the error after the command on line 3:

PS C:\Program Files\Microsoft Dynamics CRM\tools> Invoke-Expression -command $CertificateScriptWithCommand
[08/03/2021 18:24:13]  Certificate private key is not found.

MS did give me some ideas to try:

1. A possible reason would be if the password for the private key is wrong. So, please assure that the password is correct.
2. This issue can occur, as well, when there are two self-signed certificates located in the local certificate store that have the same subject name. Notice that this issue should only occur when you use a self-signed certificate. Self-signed certificates should not be used in production environments. To resolve this issue,  remove the certificates with the same subject name that you don’t need using the Certificate Manager MMC snap-in and note the following.
3. Another reason can be because of an unsupported template of the certificate. If we have a look into the CertificateReconfiguration.ps1, we will be able to see that we can get the error: “Certificate private key is not found“, if the $script: privKeyCertFile will be equal to null.
            $script:privKeyCertFile = Get-Item -path "$ENV:ProgramData\Microsoft\Crypto\RSA\MachineKeys\*" | where {$_.Name -eq $sslCertPrivKey.CspKeyContainerInfo.UniqueKeyContainerName}
            if ($script:privKeyCertFile -eq $Null)
            {         LogError "Certificate private key is not found."
                        Exit            }}
4. One potential reason for this is if the template of the certificate is not a legacy one, but instead it is a CNG, as the CNG certificates are not supported.
Optio 1 i've double checked the password loads of times, option 2, I'm not using a self signed certificate, option 3 & - im not sure of since the same certificate worked for IFD
HAs anyone got any ideas ?
many thanks!