Troubleshooting: Missing Private key in Windows Servers

Like the majority of server systems you will install your SSL certificate on the same server where your Certificate Signing Request (CSR) was created. This is because your private key will always be left on the server system where the CSR was originally created. With Microsoft systems the private key is hidden away and will only appear once the CSR pending request has been completed.

When using Exchange to process the pending request and install a SSL certificate there should be a option available to do this. Typically if there is no option to “complete” the pending request it usually means the following.

  • The CSR was never created on the exchange system that you are currently on.
    Note: If the CSR was never generated on this system then find the correct system.
  • Its a glitch with processing pending requests associated with IIS and Exchange Systems.

Troubleshoot the missing pending request or missing private key by performing the following.

Step 1:  Create an MMC Snap-in for Managing Certificates on a Windows server system:

  1. Start > Run > MMC.
    mmc
  2. Go into the Console Tab > File > Add/Remove Snap-in.
    mmc
  3. Click on Add > Click on Certificates and click on Add.
    mmc
  4. Choose Computer Account > Next.
    mmc export
  5. Choose Local Computer > Finish.
    mmc export
  6. Close the Add Standalone Snap-in window.
  7. Click on Ok at the Add/Remove Snap-in window.
  8. You will be brought back into the management console where you will see your snap in.

Step 2: Importing your SSL certificate:

  1. Expand to Certificates (Local Computer) > Personal > Certificates.
    MMC certificate Import
  2. Right click on Certificates and go to All Tasks > Import.
  3. The Certificate Import Wizard will appear click Next.
    MMC certificate import
  4. Specify the location and path of your SSL certificate by clicking Browse…
  5. Click Next.
    MMC certificate import
    Note: You may have to change the file type you are looking for to All in the drop down menu in order to browse to your certificate in the open window.
  6. Click Next.
  7. Click Finish.
  8. You should receive a message stating “The import was successful,” Click OK.
  9. You should see your new certificate appear in the middle of the Personal Certificates pain with a Icon that has a little key on it.
    MMC certificate import
  10. Further double check the certificate by double clicking it. If your certificate states “You have a private key that corresponds to this certificate.” This means your SSL Certificate was able to marry with its private key, and is now ready for binding to its services, export, etc..
    MMC certificate import
  11. Click OK.

Last Resort: If you still do not see a private key associated with your certificate then perform the following last resort troubleshooting tactic:

  1. With your SSL certificate now imported into MMC Double Click your SSL Certificate.
  2. On the certificate information window that opens, select the Details tab, scroll down and select the Thumbprint field from the list.
  3. The Thumbprint will appear in the box below; select the thumbprint and copy to clipboard (click anywhere in the box, then press Ctrl+A followed by Ctrl+C on the keyboard)
    Restoring Pending Windows Request
  4. Open up a Command Prompt (CMD) and run as an administrator and run the following command.
  5. certutil -repairstore my “<thumbprint>
    Note:
    If you right click on CMD you will have a paste feature to paste the copied thumbprint in-between the quotes.
  6. The command should similar to:
    certutil -repairstore my “00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f”
  7. Note: If you see a Question Mark ? in the front of your thumbprint Delete it.
  8. If the command completes successfully, you will see a bunch of information with the following message appearing at the bottom:
    CertUtil: -repairstore command completed successfully.
  9. Double check the certificate back in MMC by double clicking it. If your certificate states “You have a private key that corresponds to this certificate.” This means your SSL Certificate was able to marry with its private key, and is now ready for binding to its services, export, etc..

Note: If your imported SSL certificate and it does not state you have a private key then your private key was either corrupted or never generated on this system. You will have to start from scratch generating a new CSR > Perform a reissue of the SSL Certificate > then perform SSL Certificate installation.

Step 3: Give your imported SSL Certificate a friendly name:
To quickly see your fixed SSL Certificate in Exchange or IIS perform the following.

  1. In MMC right click your newly fixed SSL certificate and go to Properties.
    Screenshot_9
  2. Under Friendly Name: You can give this certificate a friendly name of your choice to quickly see it in Exchange or IIS.
  3. Click OK.
  4. You can now go back to Exchange or IIS and press F5 on your keyboard to refresh the Exchange or IIS application. Your new certificate should appear now that it has the private key. This means you can now assign the services and bind it to your websites.

If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.

Microsoft Support

For more information refer to Microsoft.

Recent Posts

S/MIME for Outlook O365 Windows

Add to Favorites S/MIME Advantages of S/MIME Certificates S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates offer several advantages when it comes to securing email communications. Here

Read More »

Abbreviations

Add to Favorites There are literally thousands of IT abbreviations out there. Many are concerned with the technical aspects of the computer, while others deal

Read More »

SSL Installation on Qmail

Add to Favorites SSL Installation on Qmail Qmail is a secure, reliable, efficient, simple message transfer agent. It is designed for typical Internet-connected UNIX hosts.

Read More »