Ask a Question

How to restore a private key in IIS 7.0

Problem

When installing an SSL certificate using Microsoft IIS 7.0 Manager, the following error message may occur:

"Cannot find the certificate request that is associated with this certificate file."

Cause

This error indicates that the pending request that was created when originally enrolling or renewing a certificate has been damaged or deleted. It may still be possible to install the certificate from the command line using certutil.exe. The following instructions apply to Windows Server 2008 (IIS 7.0):

Solution

First, download the correct Intermediate CA certificates for the SSL certificate here: AR1548

Import SSL certificate into the Personal > Certificates folder:

  1. Create a Certificates snap-in in a MMC console, per KB solution SO14292
  2. From the top left-hand pane, expand the Certificates tree, expand the Personal folder
  3. Right-click the Certificates sub folder and select All Tasks > Import
  4. The Certificate Import Wizard opens. Click Next
  5. Click Browse and then navigate to the SSL certificate file.
  6. Click Open > Next
  7. Ensure "Place all certificates in the following store" is selected, ensure that "Personal" is listed for the certificate store.
  8. Click Next > Finish


Import the Intermediate Certificates into the Intermediate Certification Authorities > Certificates folder:

  1. From the left pane, expand the Intermediate Certification Authorities folder
  2. Right-click on the Certificates sub folder
  3. Select All Tasks > Import - A Certificate Import Wizard will open.
  4. Click Next
  5. Click Browse and then navigate to the Intermediate CA Certificate file
  6. Click Next
  7. Select Place all certificates in the following store: Intermediate Certification Authorities
  8. Click Next
  9. Click Finish


(repeat steps above to install second Intermediate Certificate if any)

Restore Private Key:

  1. With the MMC console still open, select the Certificates folder inside the Personal folder in the left-hand pane.
  2. Double-click the newly imported SSL certificate in the right-hand pane, then select the Details tab.
  3. Scroll down and select the Thumbprint
  4. The Thumbprint should appear in the box below
  5. Click inside the box so that the curser appears. Hit Ctrl + A on the keyboard then hit Ctrl + C
  6. Open a Notepad and paste in the Thumbprint
  7. Add double quotes (") at the beginning and end of the thumbprint.
     

Open a command prompt as Administrator (Go to Search > type cmd in search box), then enter the following command:

certutil -repairstore my "<thumbprint>"

Example:

certutil -repairstore my "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f"

Make sure there is no extra spaces after the first ("). If successful, the last line in the response will display "CertUtil: -repairstore command completed successfully"
 
Assign SSL certificate in IIS:

  1. Go to > Start > Administrative Tools > Internet Information Services (IIS) Manager.
  2. From the Connections pane on the left, expand the local server, expand the Sites folder and select the web site to be secured with SSL.
  3. From the Actions pane on the right, select the Bindings option under Edit Site.
  4. In the Site Bindings window, select an existing https binding and click Edit. If there are no existing https bindings, click Add.
  5. Ensure the type is set to 'https', then select the new SSL certificate from the drop down menu.
  6. Click the View button to confirm details of the certificate.
  7. Click OK > Close