Ask a Question

Advanced Search

Solution ID : SO22037

Last Modified : 05/02/2018

How to restore a pending request in Microsoft IIS if it was deleted or not found?

Solution

When installing a SSL certificate, the following error may appear in the IIS Certificate Wizard:

The pending certificate request for this response file was not found.

This error indicates that the pending request that was created when originally enrolling or renewing a certificate has been damaged or deleted.

It may still be possible to install the certificate from the command line using certutil.exe.

The following instructions apply to Windows Server 2003 (IIS 6.0), 2008 (IIS 7.0), 2008 R2 (IIS 7.5) and 2012 (IIS 8.0):

  1. Download the SSL certificate from the Managed PKI for SSL account in X.509 format ( see solution for details) to a folder. Name the file sslcert.cer.
  2. Download the correct Intermediate CA certificates for the SSL certificate ( available from this article) to the same folder. Call the files primarycacert.cer and secondarycacert.cer.
  3. Open a command prompt (click Start, point to Run, type cmd and then click OK).
  4. Navigate to the folder used in steps 1 and 2, then run the following three commands:

    certutil -addstore my sslcert.cer

    certutil -addstore ca primarycacert.cer

    certutil -addstore ca secondarycacert.cer


    All of the commands should complete successfully with the following message: CertUtil: -addstore command completed successfully.
  5. Open a Windows Explorer window, navigate to the folder from steps 1 and 2, double-click the file sslcert.cer.
  6. On the certificate information window that opens, select the Details tab, scroll down and select the Thumbprint field from the list.
  7. The Thumbprint will appear in the box below; select the thumbprint and copy to clipboard (click anywhere in the box, then press Ctrl+A followed by Ctrl+C on the keyboard).


     
  8. Return to the command prompt window and run the following command - paste in the thumbprint as indicated:

    certutil -repairstore my "<thumbprint>"

    The command should similar to:

    certutil -repairstore my "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f"

    If the command completes successfully, the following message will appear:

    CertUtil: -repairstore command completed successfully.

    If the command fails, continue from Step 11.
     
  9. The certificate is now installed on to the server and needs to be assigned in IIS. For instructions:
  10. Depending on the server platform version, refer to one of the following instructions to assign the certificate in IIS:
     
    • Windows Server 2003 (IIS 6), please see this solution - refer to the "Step 1: Installing SSL Certificate into IIS 6.0" section for details.
    • Windows Server 2008 / R2 (IIS 7.x), please see this solution - refer to the "Step 1:  Prepare the server" section, then go to "Step 3: Binding certificate to the web site" for details.
    • Windows Server 2012 (IIS 8.0), please see this solution - refer to the  "Step 2: Prepare the server" section, then go to "Step 4: Binding certificate to the web site" for  details. 
                                            
  11. If the repairstore command from step 8 fails, one of the following appears instead:

    CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807)
    CertUtil: Object was not found.


    CertUtil: -repairstore command FAILED: 0x8009000b (-2146893811)
    CertUtil: Key does not exist.


    This means that the request has been damaged beyond repair or deleted completely and the certificate cannot be installed.
    Instead, the certificate needs to be revoked and replaced (generate a new CSR, request a replacement online and install
    the resulting new certificate in to IIS), following instructions from solution