6

In IIS 6 on Server 2003, I can go to a web site's properties and walk through the wizard to generate a new cert request. Once I complete the request and have the cert installed on the web site, I can go into the cert store and export the certificate with the private key, setting a password and saving it as a PFX file.

When I go through a similar procedure in IIS 7 on 2008R2, I can generate the CSR and complete the request. However, the cert in the cert store cannot be exported with the private key and saved as a PFX file. Is there some option or step I am missing in the process so that the private key can be exported in IIS 7?

Andy Schneider
  • 1,543
  • 5
  • 19
  • 28

2 Answers2

7

IIS still has the option to export the certificates directly; alternatively, you can export the certificate using the "Certificates" MMC snap-in (certmgr.msc).

certificate

If this isn't available, you may have set the private key as non-exportable during the key creation process.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Right, the issue is that I cannot figure out how to set the key as exportable during the creation process. I never saw an option one way or the other. Is this configured in a cert template somewhere? – Andy Schneider Aug 17 '11 at 16:37
  • 1
    @Andy The IIS wizard doesn't include that option - it tries to keep it simple; certificates are exportable by default. It could be in the template - check the template that was used during creation. First things first, though - you've verified that the key is indeed set to non-exportable? – Shane Madden Aug 17 '11 at 16:46
  • When i open the cert in cert manager, i do not see the key icon and a message saying "You have a private key that corresponds to this certificate." Are there any other verification steps I can take? How would I go about checking the template? We are using Entrust as the CA. – Andy Schneider Aug 18 '11 at 14:12
  • @Andy Sounds like the private key may not have gotten imported somehow. – Shane Madden Aug 18 '11 at 15:04
  • It worked fine on a different server. There must have been something wacky with the first one I tried it on. – Andy Schneider Aug 18 '11 at 16:07
5

In case this is of any help, I had better luck with a variation to Shane's answer.

  1. Visit the Server Certificates tab in IIS.
  2. Right-click the certificate and choose View (instead of Export).
  3. This opens the certificate in a new window. Click the Details tab.
  4. Click Copy to File.... This opens a different export wizard that has a few more options to choose from.
DuckMaestro
  • 205
  • 2
  • 8
  • 1
    This is good confirmation that I don't have a private key : it says 'The associated private key cannot be found'. I assume I need to re-key the cert – Simon Jan 14 '15 at 02:14