IIS8 Centralized Certificates Not Recognizing Certs ("The specified private key password is not correct.")

Question

I have a pretty straight forward setup: IIS 8 on Windows Server 2012 R2 2x ARR servers with NLB 3x Web content servers in a web farm

ARR servers have IIS shared configuration and IIS web content servers have shared configuration. I am able to sucessfully browse to a domain pointed to my ARR NLB IP over HTTP and hit my web servers in the web farm.

My problem is when I add certificates to the CCS share, they show up with a red X and the error "the specified private key password is not correct.". I have no key password specified in the CCS feature settings, and I generated a CSR and key without encryption to issue these test certificates from a valid CA.

The CSR and key's are all generated through a custom internal SSL utility which is just using OpenSSL. I ran the certificate and key through some validation tools on sslshopper.com and they verified to match and the key was able to be read as it was not encrypted.

I generated the PKCS#12 (.pfx) file using OpenSSL with my un-encrypted key and certificate issued from my CA. I am able to import the generated PFX into my cert store on my local machine, view it, and export it all without issue. Once strange thing I noticed is that when I exported the cert with key from my personal cert store on my machine and added it to the CCS, the error was that the file system could not find the file specified, even though it's displaying the cert with an error which is located in the share.

Any assistance would be greatly appreciated.

Answer 1

In regards to the issue you are seeing where it responds with the file system could not find the file specified, we had a similar issue.

Our certificate manager always uses Linux/OpenSSL to create the PFX files, and the output file have missing header information that OpenSSL doesn't care about. The fix for us was to import the cert into CertMgr.msc on Windows and then re-export it to a new PFX; once imported into the CCS, all worked as it should.

Answer 2

I had the exact error today on IIS Windows Server 2016. After some searching I found the answer. It seems there are issues with impersonation when using IIS Manager GUI and the Centralized Certificate Store. I was logged in with my normal domain admin account but had configured the certificate store network share to be mounted as a different account (which had sufficient rights). I changed everything to Administrator, logged in as Administrator and everything worked. Evidently it's only a problem with the GUI but in this case it was pretty misleading. See this thread for more info: https://github.com/ridercz/AutoACME/issues/14

Answer 3

Even attempting SmithPlatts recommendation, I was still unable to get CCS to recognize the certificate.

I ended up generating a request from IIS, completing the request with a CA provided cert, and then exporting that certificate with key from certmgr. I took that PFX and CCS see's it no problem.

I don't know exactly what the problem is, I suspect it is something along the lines of SmithPlatts post, but unsure. I plan to make some PowerShell scripts to manage this process, not ideal, but it works.