Install certificate in IIS 6.0 after deleting the pending certificate request

Looks like lately certificates are my specialty. Today, at work I had to replace a certificate in IIS 6.0 to one of the web sites; the old one expired. The new certificate was purchased as a renewal of the old one, not as a new certificate, so no private key…well not with the certificate anyway, only in the server registry from the expired one.
The way any admin will renew the certificate is to open the web site properties, click the Directory Security tab, then hit the Server Certificate button.  Here he/she will choose the Process the pending request and install the certificate option, then provide the new certificate to the wizard.

Easy haaa. My problem was that someone deleted the pending request, and left me with no option to associate the private key to the certificate. So…I taught I recreate the environment in my lab at home and start this post in case someone will encounter the same problem. The way I managed to solve this was by using the certutil command. So first things first…import the new certificate in the Certificates Store, either by using the mmc console or by using the certutil command. Just ignore the expiration date on the old certificate in the image bellow.


Now if you open the imported certificate you can see that it has no private key; meaning…is useless, for now.

Don’t close the certificate, instead go to the Details tab and at the button click the Thumbprint field; copy that thumbprint on the clipboard.

Now from a terminal issue the following command:

certutil -repairstore my "thumbprint"

where thumbprint is the tumbprint you just copied on the clipboard from the certificate Details tab. In my case is:

certutil -repairstore my "9f 05 01 58 3c 52 e7 28 bb ae 7d 11 06 98 09 fe d5 f8 d6 4f"

Open again the certificate from the Certificates Store, and as you can see now it has a private key associated. If you still don’t see the private key on the new certificate just hit F5 to refresh the Certificates Store.

Go in IIS and try to replace the old certificate with the new one. The new certificate appears in the list, because it has a private key.

Verify that is working. If you get the padlock icon you’re good to go. If you are still not convinced you can open the certificate from the browser and go to the Thumbprint field. The thumbprint should be identical with the thumbprint of the new certificate in the Certificates Store.

Want content like this delivered right to your

email inbox?

7 thoughts on “Install certificate in IIS 6.0 after deleting the pending certificate request

  • 23/07/2014 at 00:51

    Thanks for the great article! It got me up and running. 😉

  • 16/07/2014 at 04:27

    Wonderful steps – worked a treat for us, thank you!

  • 09/05/2014 at 11:24

    Hi Adrian,

    Exactly same problem We are facing in our IIS webserver certificate. Your solution works as a charm.
    I really appreciate your efforts and presentation.

    Thanks for sharing this.

  • 29/01/2014 at 10:55

    THANK YOU! – I CANT BELEIVE THIS WORKED!!! I dont know who you are or why you would publish this but – THANKS and THANKS AGAIN! ( this sparred me a immense headache – and probably a punch up )


Leave a Reply

Your email address will not be published. Required fields are marked *