Installed SSL certificate in certificate store, but it's not in IIS certificate list

Question

After installation of a wildcard SSL certificate into the certificate store, the certificate does not appear in the IIS certificate list for use with site bindings.

The certificate was installed correctly, but apparently no key was included with the certificate.

How can you fix this issue without doing a new request or contacting someone for the key (if, for instance, it's the day before a launch? ;-) )

score 89 · Accepted Answer · edited Feb 21 '20 at 20:57

89

I ran into this problem today. Due to the timeframe and some other issues, getting the key from the provider was not possible.

I found the following solution here (under pixelloa's comment) and thought it would be good to have the answer on Stack Overflow as well.

If the certificate does not have a private key, you can fix this by doing the following:

To fix this, use the MMC snapin to import the cert into PERSONAL store of the computer account, click it and grab the serial # line. Go to dos, run certutil -repairstore my "paste the serial # in here" (you need the quotes unless you remove the spaces from the serial number) then refresh MMC with personal certs, right click it - export - select everything except DELETE PRIVATE KEY, hit ok. Then go to IIS and IMPORT cert instead of finish request.

For what it's worth, all I actually had to do was run the certutil -repairstore command, and my certificate worked. I did run the export and set a password for the export itself, but I did not have to reimport the certificate. The certificate now shows up in IIS's list of certificates and can be used for HTTPS bindings.

I hope this helped someone.

edited Feb 21 '20 at 20:57

Synctrex

811
1
11
19

answered Jan 09 '14 at 01:04

5

Thank you. You helped someone who needed help very fast:) – LukLed Jul 06 '15 at 09:14
+1 I just had this problem with a Network Solutions SSL certificate. It looked as though the serial number had a leading space. Thanks for including the fix here. – Tim Jul 08 '16 at 22:59
2

Had the same issue with a GoDaddy UCC certificate. This worked at the first attempt. – Marius Bughiu Sep 04 '16 at 18:22
Brilliant, helped me out with a Namecheap wildcard cert on IIS 8 – Paul Jan 05 '17 at 10:26
14

For me the problem was I imported a .cer file from go-daddy on a different machine from the one that generated the certificate request. The .cer files DO NOT CONTAIN a private key at all. The private key stays in the local machine cert store along with the request, and gets linked up with the actual certificate upon import. This implies that certutil.exe -repairstore will not work at all after importing a .cer file on another machine. Instead, export the certificate as PFX file from the cert store from the machine where you generated the request and subsequently first installed it. – Ries Vriend Oct 31 '17 at 08:44
1

I second Ries Vriend's comment. On the server that is working, export the certificate WITH THE PRIVATE KEY, then import it on the other server. – Colin Mar 14 '18 at 21:45
Just running the certutil -repairstore command already solved the problem for me...didn't have to do the export and import. – Shawn de Wet Jul 10 '18 at 04:20
2

Note that you should not include the quotes, nor spaces in the serial number. So your command should look something like this: certutil -repairstore my 00ecda18e75f5a49f3 – Vincent Jul 26 '18 at 23:16
Example for certificate imported in Personal: `certutil -repairstore "My" "faef119aa08b0b42"`. – stomy May 29 '19 at 03:02

score 25 · Answer 2 · answered Aug 07 '16 at 09:18

Had the same problem and found the easy solution thanks to inspiration from the above answers. Here's a quick step-by-step summary:

First open MMC with the Certificates plug in.
Drag-n-drop your new certificate (missing the key on the upper left part of the certificate icon) to the "Personal" certificate store. This I did because the name of the "Web Hosting" store is a so called friendly name and not the real name of the store, and I could not remember the real name which is needed for the command prompt utility certutil. Instead I just remembered that the real name of "Personal" is "My". Makes the rest easy, and once done I just move the certificate back into "Web Hosting".
Once the new certificate (missing the key) is in the "Personal" store, start a command prompt and issue the following command: certutil -store "My" (assuming the quotes are needed)
Note the serial number of your certificate. It's in the first line of the certificate dump. If you have other certificates in the "My" store, then you need to find the one you just moved. Look at expiration date and name for example. Mark and copy the serial number.
Now issue the command certutil -repairstore "My" <paste serial number here> and note the private key is verified.
Move the certificate back to the "Web Hosting" store and refresh. You should now see the certificate icon overlaid with a small key icon in the upper left part.
Now you should be able to choose the certificate from inside the IIS bindings dialog.

Have fun!

Had same issue on IIS8 in Win2012 as of Aug 11, 2016. The cert. (from godaddy) disappeared the second i installed it. This solution fixed the issue. — KuN, Aug 11 '16 at 17:43
Still valid today for GoDaddy certificates, thank you very much Soren for your clear explanation. — Fabio Pagano, Aug 10 '21 at 18:48

score 12 · Answer 3 · answered Jan 18 '18 at 17:25

12

If you are using Godaddy as your certificate authority, and you are running into this issue; All you have to do is Re-key the certificate. I tried the above certutil -repairstore my "paste the serial # in here" but the system wanted me to use smart card for authentication. (Running IIS10 on Server 2016 and 2012R2)

When I Created a Certificate Request, gone through the process of Re-keying and gone through the process of "Complete Certificate Request" I was able to sucessfuly configure "Bindings..." without the certificate disappearing.

answered Jan 18 '18 at 17:25

Konrad13

121
1
2

Thanks, this did it for me for a GoDaddy UUC cert. I'd like to know why this is necessary. – Jay Riggs Sep 04 '19 at 21:59
This is the best answer. No need to install other tools or do anything fancy. Just rekey it before you download and it works. GoDaddy told me over the phone that I don't have to rekey it, but I'm guessing that's valid advice for Linux, not for Windows servers. – Vincent Feb 13 '22 at 17:07

score 10 · Answer 4 · answered May 15 '17 at 08:05

To solve, you need to import Private Certificate (PFX).

If you don't have PFX, use OpenSSL to generate it:

Download&Install OpenSSL
Open command line and run:

openssl pkcs12 -export -in public_certificate.cer -inkey server.key -out private_certificate.pfx

Than, install private_certificate.pfx (right click -> Install Certificate).

Now, your certificate does not disappear anymore and you can bind Website over SSL.

A great resource: https://blog.lextudio.com/the-whole-story-of-server-certificate-disappears-in-iis-7-7-5-8-8-5-10-0-after-installing-it-why-b66e802baa38

if you don't want to install openssl in Windows: Download portable-git from https://git-scm.com. Portable git launches a portable mingw console that includes openssl in its default utilities. walter's command worked for me after I appended a "-passout pass:mypassword" to it. else it just waited... — gridtrak, Sep 11 '18 at 23:50

mobill · Answer 5 · 2016-06-06T22:07:03.160

You can export a pfx from IIS on another server, if you have a server with the cert successfully installed.

Update:

Working on another round of certificate updates (a renewal) I ran into this problem again, on every server I tried. @Geir's answer didn't work, but it did give me an idea. I identified the server where I had generated the Certificate Request and successfully installed the new cert there. From that server I was able to export a pfx and then import the pfx version on the rest of the servers. No need to redo the Cert Request.

score 5 · Answer 6 · answered Sep 15 '15 at 01:06

5

had the same problem.

You need to ensure you are installing on the same server as the one you created the "CSR" file from. Otherwise, it won't have the private keys.

If you got your cert, just ask to re-key, it will ask for a new CSR file. I.e. Go Daddy allows you to re-key, just find the cert, and hit "manage"

I am not expert at this stuff, but this managed to work.

answered Sep 15 '15 at 01:06

Vinnie Amir

557
5
10

2

My cert install worked for one server but not a second. Your answer helped me to a different solution: I exported the cert from the first server (created a pfx file) and imported it into the second. Worked. – Bob Horn May 12 '16 at 14:05

score 4 · Answer 7 · answered May 10 '16 at 10:51

This can happen if you e.g. generate a new certificate request after having your old certificate request approved. The new request will cause IIS to delete the private key associated with your first certificate request, and hence when you import the (now signed) certificate associated with your first request, it will not have a private key associated with it. Since it doesn't have a private key, it can't be used for SSL binding and will not appear in the IIS manager.

You may be able to restore the private key, since it is stored more than one place on your computer:

Start -> mmc.exe -> Add snap-in -> Certificates -> Computer account. Verify that the installed certificate appears in the "Personal/Certificates" tab. If not, import it. A missing private key is visualized by the icon next to the certificate not containing a key icon.
Open the certificate (.cer) file from disk by double-clicking on it. In the Details tab, note the serial number.
Start -> cmd.exe. Type "certutil -repairstore my (serialnumberhere)". The serial number should have no spaces. Could be 8 or more digits.

If the certutil command returns with "-repairstore command completed successfully", the private key of your certificate was most likely recovered. You can verify this by going to the MMC certificate list and hitting F5 -- if successful, your certificate will now have a small key in its icon. You will then be able to select your certificate from IIS.

If this fails, your private key is no longer available and you need to send a new certificate signing request to the signing authority.

Thanks you. your instructions were written in the best way. it worked. — Yochai, Mar 11 '17 at 17:25

score 4 · Answer 8 · answered Nov 11 '16 at 14:53

4

I had the same in IIS 10.

I fixed it by importing the .pfx file using IIS manager.

Select server root (above the sites-node), click 'Server Certificates' in the right hand pane and import pfx there. Then I could select it from the dropdown when creating ssl binding for a website under sites

answered Nov 11 '16 at 14:53

Arjan

469
4
12

1

Thank you! After spending an hour trying to make other solutions work, this just worked in 30 seconds. I should add though, for the benefit of others, if you don't have a .pfx but you're already using this certificate on another server, you can export it using IIS on the other server. This will generate a pfx. Then import it on your new server. – Vincent Aug 13 '19 at 23:45

score 3 · Answer 9 · answered Jul 20 '20 at 08:28

I had a key file & a crt file but it wouldn't show in IIS because I couldn't attach the key to the certificate during the import. Ended up creating a pfx file containing the certificate & the key, and after that it worked (When importing to the computer and not local user)

Created the file with OpenSSL (Download first).

openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt

score 2 · Answer 10 · answered Jul 28 '15 at 13:39

2

This happens when the installed certificate does not contain your private key.

In order to check if the certificate contains the private key and how to repair it use this nice tutorial provided by Entrust

answered Jul 28 '15 at 13:39

Ivo Stoyanov

16,256
8
62
65

That was a nice tutorial until I got to the part where I had to navigate to my "server directory" and they failed to explain what that is. I still have no idea. Tutorial fail. – Vincent Aug 13 '19 at 23:40

score 2 · Answer 11 · edited Jun 20 '20 at 09:12

2

I had similar issue and tried all possible combinations as well as accepted answer without any luck. Finally I found DigiCert SSL Utility which helped me to install certificate in couple clicks. You can download it here. Hope this answer will save some time for others.

edited Jun 20 '20 at 09:12

Community

1
1

answered Mar 31 '16 at 14:12

Denys Denysenko

7,598
1
20
30

score 1 · Answer 12 · answered Mar 03 '16 at 10:08

The Issue is the certificate request(CSR) was not generated from IIS. If you generated from Other sources e.g OpenSSL it will bring the issue. You need to generate the Certificate request(CSR) from IIS -> Create a certificate request, then enter all the details and then send to the vendor for regeneration of the SSL certificate. Mine worked properly after that.

score 1 · Answer 13 · edited Jun 26 '17 at 09:14

when you have one certificate and 2 different web servers here how I fixed it:

List item
You should generate certificate at one of the servers as usually in IIS Then at that server you can also complete the certificate in IIS.
Run the program DigiCertUtil and export that working certificate
Go to the other web server in IIS in security certificates Import that file from step 3.
Then use that certificate to create the Binding.

score 1 · Answer 14 · answered Dec 04 '20 at 18:43

We had a similar issue on our team trying to apply a wildcard certificate on our new VM.

So it might be a different situation were we were trying to copy our existing certificate to a new VM, but ended up with the same problem( certificate missing from IIS certificate list).

This article (link below) helped us:

So what did the trick was to export the certificate from the original server and include the private key during the export process( add a password to protect your certificate)

then import it to the new server where you want to install the certificate. Mark the key as exportable so that it can be exported later on.

I do not want to do a step by step since its well documented in the article.

https://www.digicert.com/kb/ssl-support/certificate-pfx-file-export-import-iis-10.htm

score 0 · Answer 15 · answered Oct 10 '19 at 13:56

The certutil -repairstore command mentioned in other answers worked for me, but if your certificate is in the "Web Hosting" store and you don't want to move it, the real (internal) name of the "Web Hosting" store is "WebHosting", for anyone following the steps mentioned here.

score 0 · Answer 16 · answered Jan 28 '20 at 15:43

If you are using Godaddy certificate, then the issue is that the machine on which the certificate request is created and the machine on which is you are trying to complete the request are different. So do the following:

Use the "generated-private-key.txt" file that was created the godaddy. Use this file to create .pfx certificate(with private key) you can use OpenSSL command:

openssl pkcs12 -export -out {mydomain}.pfx -inkey generated-private-key.txt -in {your .crt file}
The above command will generate certificate with private key {mydomain}.pfx.
Import this certificate in IIS using "Import" option

score 0 · Answer 17 · edited Dec 22 '20 at 08:14

0

I had the very same issue. Problem here is that I installed godaddy certificate on local system and then copied on server which hence didnt have private key. So, use online converters to convert ssl to .pfx and then install it. Would definitely work.

edited Dec 22 '20 at 08:14

greg-449

109,219
232
102
145

answered Dec 22 '20 at 05:36

Priyanka Arora

409
4
10

score -1 · Answer 18 · answered Sep 06 '20 at 06:36

-1

For anyone who's using a GoDaddy generated certificate for IIS, you have to generate the certificate request from IIS. The instructions on the GoDaddy site is incorrect, hope this saves someone some time.

https://ca.godaddy.com/help/iis-8windows-server-2012-generate-csrs-certificate-signing-requests-4950

Found the answer from a guy named mcdunbus on a GoDaddy forum. Here is article https://www.godaddy.com/community/SSL-And-Security/Trouble-installing-SSL-Certificate-on-IIS-8n-Windows-2012/td-p/39890#

answered Sep 06 '20 at 06:36

dellyjm

426
1
5
10

The trouble with 3rd party links is they go bad. Do a write up of what it says to do instead. Don't post links except as a reference to what you wrote. (-1) – B. Shea Jul 05 '23 at 16:36
both the links are working, so I'm not sure what the issue is. – dellyjm Jul 12 '23 at 15:19
You are wrong: https://i.imgur.com/Js6OvwQ.png - your 2nd link is 404'd. *But, that's besides the point.* Posting 3rd party links is not an answer. Only you can write an answer. Take what you learn from links and apply it to your answer. – B. Shea Jul 12 '23 at 16:09
I just clicked both the links and they are working. I'm not looking for points, just trying to help the person find a solution. So all the best to you. Delete my answer if it's bothering you. – dellyjm Jul 12 '23 at 18:21
Instead of arguing it, it would seem a lot easier to just fix your answer? At any rate, the 2nd link is "404" FOR ME. Maybe it's because it's a Canadian Godaddy link and it doesn't like my IP being USA? I couldn't tell you why and it doesn't matter, but this is yet another reason not to post (just) links. They may not appear the same for everyone, or simply go away after a bit of time.. – B. Shea Jul 13 '23 at 13:00

Installed SSL certificate in certificate store, but it's not in IIS certificate list

18 Answers18

Linked