4

It seems the common method for installing a new SSL certificate for a site on IIS 6 is to create a temporary site, generate a CSR with the parameters of the real site, and then fulfill that CSR when the certificate is given.

This is all well and good, but I foolishly deleted the temporary site too early -- I deleted it after the CSR was generated and before I received the real certificate. I still have the CSR used and the certificate. Is there a way to get IIS to allow me to install this? Can I add the certificate to the registry manually or something? I really don't want to go through another reissue process.

Thanks in advance.

jeffcook2150
  • 225
  • 1
  • 2
  • 7
  • This worked for me! I was having the issue where I had the cert installed but when I did an SSL check, it was showing errors. Https was not resolving for my site. One of the errors was saying that there was not a cert installed. Network Associates wouldn't help unless I paid them $130. Microsoft has been stringing me along for several weeks without resolution so I went out on my own, found this thread and applied it. My site is now up and running! –  Nov 02 '11 at 21:48
  • 1
    The situation above also happens when renewing a certificate. Your provider will give you a new certificate without you having generated a request. The method described below works in that situation as well. – KeithL Dec 05 '16 at 13:06

2 Answers2

6

Chances are the private key still exists, but you will have to use certutil to repair the association. I've had to do this a few times myself. The below is from HERE:

To install a Web server certificate that lacks a pending certificate request 1. Click Start, point to Run, type cmd, and then click OK.

  1. Navigate to the directory where Certutil.exe is stored; by default, this is %windir%\system32.

  2. Type the following command at the command prompt: certutil -addstore my certnew.cer where certnew.cer is the name of the certificate you received from the certification authority (CA). You should see the following message: CertUtil: -addstore command completed successfully.

  3. Navigate to the directory where you stored the certificate you received from the CA. Right-click the certificate and then point to Properties.

  4. Click the Details tab and select in the Show drop-down list.

  5. In the Field list, select Thumbprint to display its value in the view pane.

  6. Select the Thumbprint value in the view pane and then click CTRL+C.

  7. Return to the command prompt window and type the following command: certutil -repairstore my "thumbprint" where thumbprint is the value of the Thumbprint field. Be sure to type the double quotes as part of the command. If the command is successful, the following message is displayed: Encryption test passed CertUtil: = repairstore command completed successfully.

CarloBaldini
  • 583
  • 2
  • 8
  • This still works in IIS 8.0 (Windows Server 2012). I had a situation where the CA reissued the cert without requesting a new CSR (manual support process) and I didn't want to start all over. This procedure allowed me to replace the existing cert without changing the private key or generating a new CSR. – Jordan Rieger Mar 08 '18 at 21:01
  • This still works in IIS 10.0.x (Windows Server 2022). But I ran into this error when changing the SSL cert binding afterward: https://stackoverflow.com/questions/14953132/iis-7-error-a-specified-logon-session-does-not-exist-it-may-already-have-been . The solution for me was to re-export the cert and private key to a password-protected .pfx file after doing the above repair steps, then import it back into the server store (and delete the file afterward of course.) – Jordan Rieger Sep 01 '23 at 00:16
3

You will need to reissue your SSL certificate, otherwise you will see private key mismatch error. You can regenerate the CSR and apply for the reissue and install the certificate

Sagar
  • 81
  • 2