1

Having an issue, I have a pfx file cert that a client provided. I can import this certificate in Certificate Manager and it does have a private key, but I cannot use the certificate in bindings for IIS. The private key is not re-exportable. It doesn't show up in the drop downs. When I try and import this certificate in IIS Server Certificates, I get the error message.

Certificate cannot be used as an SSL server certificate.

One note, the CSR never originated from the IIS server. I just asked to purchase a cert, and the client made one and sent over the PFX file.

Not sure if there is a workaround or I need to have the client re-key the certificate based on my CSR. I tried looking at this other answer, but didn't seem to help. Probably because the private key is not exportable? Not sure, please advise.

Installed SSL certificate in certificate store, but it's not in IIS certificate list

bb2j3z
  • 63
  • 1
  • 5
  • That answer was incomplete, so you probably installed the certificate to a wrong account. In MMC you must choose the computer account and then install the certificate to its Personal store. – Lex Li Jan 03 '20 at 20:02
  • Double clicked on the cert, picked the computer account then installed the certificate to its Personal store as you described. I see the cert in Personal\Certificates in MMC. However in IIS, when I try and create a site binding for port 443, the certificate is not listed in the SSL certificate dropdown to select. – bb2j3z Jan 06 '20 at 15:36
  • Then I can only say you applied/installed a wrong certificate. IIS Manager only shows a valid "server" certificate who has the mandatory purpose of "Server Authentication", https://blogs.msdn.microsoft.com/kaushal/2012/02/17/client-certificates-vs-server-certificates/ – Lex Li Jan 06 '20 at 19:22
  • Thanks, any way I can explain or give instructions to the client other than it needs to be a server certificate? In MMC, it shows Client Authentication. Do I need to create a CSR from IIS and have them process it to be a server certificate? – bb2j3z Jan 06 '20 at 19:33
  • The certificate you got is a client certificate then. To apply a server certificate, any valid CRS can be used (not necessary from the IIS machine). Please ask your client to follow the instructions of the CA he/she uses. – Lex Li Jan 06 '20 at 21:17

0 Answers0