Looks like lately certificates are my specialty. Today, at work I had to replace a certificate in IIS 6.0 to one of the web sites; the old one expired. The new certificate was purchased as a renewal of the old one, not as a new certificate, so no private key…well not with the certificate anyway, only in the server registry from the expired one.
The way any admin will renew the certificate is to open the web site properties, click the Directory Security tab, then hit the Server Certificate button. Here he/she will choose the Process the pending request and install the certificate option, then provide the new certificate to the wizard.
Easy haaa. My problem was that someone deleted the pending request, and left me with no option to associate the private key to the certificate. So…I taught I recreate the environment in my lab at home and start this post in case someone will encounter the same problem. The way I managed to solve this was by using the certutil command. So first things first…import the new certificate in the Certificates Store, either by using the mmc console or by using the certutil command. Just ignore the expiration date on the old certificate in the image bellow.
Now if you open the imported certificate you can see that it has no private key; meaning…is useless, for now.
Don’t close the certificate, instead go to the Details tab and at the button click the Thumbprint field; copy that thumbprint on the clipboard.
Now from a terminal issue the following command:
certutil -repairstore my "thumbprint"
where thumbprint is the tumbprint you just copied on the clipboard from the certificate Details tab. In my case is:
certutil -repairstore my "9f 05 01 58 3c 52 e7 28 bb ae 7d 11 06 98 09 fe d5 f8 d6 4f"
Open again the certificate from the Certificates Store, and as you can see now it has a private key associated. If you still don’t see the private key on the new certificate just hit F5 to refresh the Certificates Store.
Go in IIS and try to replace the old certificate with the new one. The new certificate appears in the list, because it has a private key.
Verify that is working. If you get the padlock icon you’re good to go. If you are still not convinced you can open the certificate from the browser and go to the Thumbprint field. The thumbprint should be identical with the thumbprint of the new certificate in the Certificates Store.
Want content like this delivered right to your