Installed SSL certificate in certificate store but it s not in IIS certificate list

Question

After installation of a wildcard SSL certificate into the certificate store  the certificate does not appear in the IIS certificate list for use with site bindings   The certificate was installed correctly  but apparently no key was included with the certificate   How can you fix this issue without doing a new request or contacting someone for the key  if  for instance  it s the day before a launch   -

User · Answer

Had the same problem and found the easy solution thanks to inspiration from the above answers. Here's a quick step-by-step summary:

First open MMC with the Certificates plug in.
Drag-n-drop your new certificate (missing the key on the upper left part of the certificate icon) to the "Personal" certificate store. This I did because the name of the "Web Hosting" store is a so called friendly name and not the real name of the store, and I could not remember the real name which is needed for the command prompt utility certutil. Instead I just remembered that the real name of "Personal" is "My". Makes the rest easy, and once done I just move the certificate back into "Web Hosting".
Once the new certificate (missing the key) is in the "Personal" store, start a command prompt and issue the following command: certutil -store "My" (assuming the quotes are needed)
Note the serial number of your certificate. It's in the first line of the certificate dump. If you have other certificates in the "My" store, then you need to find the one you just moved. Look at expiration date and name for example. Mark and copy the serial number.
Now issue the command certutil -repairstore "My" <paste serial number here> and note the private key is verified.
Move the certificate back to the "Web Hosting" store and refresh. You should now see the certificate icon overlaid with a small key icon in the upper left part.
Now you should be able to choose the certificate from inside the IIS bindings dialog.

Have fun!

User · Answer

I ran into this problem today  Due to the timeframe and some other issues  getting the key from the provider was not possible   I found the following solution here  under pixelloa s comment  and thought it would be good to have the answer on Stack Overflow as well   If the certificate does not have a private key  you can fix this by doing the following      To fix this  use the MMC snapin to import the cert into PERSONAL store of the computer account    click it and grab the serial   line   Go to dos  run certutil   -repairstore my  paste the serial   in here   you need the quotes unless you remove the spaces from the serial number  then refresh MMC with personal certs  right click it - export - select   everything except DELETE PRIVATE KEY  hit ok   Then go to IIS and   IMPORT cert instead of finish request    For what it s worth  all I actually had to do was run the certutil -repairstore command  and my certificate worked  I did run the export and set a password for the export itself  but I did not have to reimport the certificate  The certificate now shows up in IIS s list of certificates and can be used for HTTPS bindings   I hope this helped someone

User · Answer

You can export a pfx from IIS on another server  if you have a server with the cert successfully installed   Update   Working on another round of certificate updates  a renewal  I ran into this problem again  on every server I tried    Geir s answer didn t work  but it did give me an idea   I identified the server where I had generated the Certificate Request and successfully installed the new cert there   From that server I was able to export a pfx and then import the pfx version on the rest of the servers   No need to redo the Cert Request

User · Answer

If you are using Godaddy certificate  then the issue is that the machine on which the certificate request is created and the machine on which is you are trying to complete the request are different   So do the following    Use the  generated-private-key txt  file that was created the godaddy  Use this file to create  pfx certificate with private key   you can use OpenSSL command   openssl pkcs12 -export -out  mydomain  pfx -inkey generated-private-key txt -in  your  crt file  The above command will generate certificate with private key  mydomain  pfx  Import this certificate in IIS using  Import  option

User · Answer

We had a similar issue on our team trying to apply a wildcard certificate on our new VM  So it might be a different situation were we were trying to copy our existing certificate to a new VM  but ended up with the same problem  certificate missing from IIS certificate list   This article  link below  helped us  So what did the trick was to export the certificate from the original server and include the private key during the export process  add a password to protect your certificate  then import it to the new server where you want to install the certificate  Mark the key as exportable so that it can be exported later on  I do not want to do a step by step since its well documented in the article  https   www digicert com kb ssl-support certificate-pfx-file-export-import-iis-10 htm

User · Answer

I had the same in IIS 10    I fixed it by importing the  pfx file using IIS manager    Select server root  above the sites-node   click  Server Certificates  in the right hand pane and import pfx there  Then I could select it from the dropdown when creating ssl binding for a website under sites

User · Answer

To solve  you need to import Private Certificate  PFX    If you don t have PFX  use OpenSSL to generate it    Download amp Install OpenSSL Open command line and run    openssl pkcs12 -export -in public certificate cer -inkey server key -out private certificate pfx   Than  install private certificate pfx  right click -  Install Certificate    Now  your certificate does not disappear anymore and you can bind Website over SSL   A great resource  https   blog lextudio com the-whole-story-of-server-certificate-disappears-in-iis-7-7-5-8-8-5-10-0-after-installing-it-why-b66e802baa38

User · Answer

when you have one certificate and 2 different web servers here how I fixed it    List item You should generate certificate at one of the servers as usually in IIS Then at that server you can also complete the certificate in IIS  Run the program DigiCertUtil and export that working certificate  Go to the other web server in IIS in security certificates Import that file from step 3   Then use that certificate to create the Binding

User · Answer

This happens when the installed certificate does not contain your private key    In order to check if the certificate contains the private key and how to repair it use this nice tutorial provided by Entrust

User · Answer

For anyone who s using a GoDaddy generated certificate for IIS  you have to generate the certificate request from IIS  The instructions on the GoDaddy site is incorrect  hope this saves someone some time  https   ca godaddy com help iis-8windows-server-2012-generate-csrs-certificate-signing-requests-4950 Found the answer from a guy named mcdunbus on a GoDaddy forum  Here is article https   www godaddy com community SSL-And-Security Trouble-installing-SSL-Certificate-on-IIS-8n-Windows-2012 td-p 39890

User · Answer

I had the very same issue  Problem here is that I installed godaddy certificate on local system and then copied on server which hence didnt have private key  So  use online converters to convert ssl to  pfx and then install it  Would definitely work

User · Answer

This can happen if you e g  generate a new certificate request after having your old certificate request approved  The new request will cause IIS to delete the private key associated with your first certificate request  and hence when you import the  now signed  certificate associated with your first request  it will not have a private key associated with it  Since it doesn t have a private key  it can t be used for SSL binding and will not appear in the IIS manager   You may be able to restore the private key  since it is stored more than one place on your computer    Start -  mmc exe -  Add snap-in -  Certificates -  Computer account  Verify that the installed certificate appears in the  Personal Certificates  tab  If not  import it  A missing private key is visualized by the icon next to the certificate not containing a key icon  Open the certificate   cer  file from disk by double-clicking on it  In the Details tab  note the serial number  Start -  cmd exe  Type  certutil -repairstore my  serialnumberhere    The serial number should have no spaces  Could be 8 or more digits    If the certutil command returns with  -repairstore command completed successfully   the private key of your certificate was most likely recovered  You can verify this by going to the MMC certificate list and hitting F5 -- if successful  your certificate will now have a small key in its icon  You will then be able to select your certificate from IIS   If this fails  your private key is no longer available and you need to send a new certificate signing request to the signing authority

User · Answer

The certutil -repairstore command mentioned in other answers worked for me  but if your certificate is in the  Web Hosting  store and you don t want to move it  the real  internal  name of the  Web Hosting  store is  WebHosting   for anyone following the steps mentioned here

User · Answer

The Issue is the certificate request CSR  was not generated from IIS  If you generated from Other sources e g OpenSSL it will bring the issue  You need to generate the Certificate request CSR  from IIS -  Create a certificate request  then enter all the details and then send to the vendor for regeneration of the SSL certificate  Mine worked properly after that

User · Answer

I had a key file  amp  a crt file but it wouldn t show in IIS because I couldn t attach the key to the certificate during the import  Ended up creating a pfx file containing the certificate  amp  the key  and after that it worked  When importing to the computer and not local user  Created the file with OpenSSL  Download first   openssl pkcs12 -export -out domain name pfx -inkey domain name key -in domain name crt

User · Answer

I had similar issue and tried all possible combinations as well as accepted answer without any luck  Finally I found DigiCert SSL Utility which helped me to install certificate in couple clicks  You can download it here  Hope this answer will save some time for others

User · Answer

If you are using Godaddy as your certificate authority  and you are running into this issue  All you have to do is Re-key the certificate  I tried the above certutil -repairstore my  paste the serial   in here   but the system wanted me to use smart card for authentication   Running IIS10 on Server 2016 and 2012R2   When I Created a Certificate Request  gone through the process of Re-keying and gone through the process of  Complete Certificate Request  I was able to sucessfuly configure  Bindings     without the certificate disappearing

User · Answer

had the same problem     You need to ensure you are installing on the same server as the one you created the  CSR  file from   Otherwise  it won t have the private keys     If you got your cert  just ask to re-key  it will ask for a new CSR file   I e  Go Daddy allows you to re-key  just find the cert  and hit  manage   I am not expert at this stuff  but this managed to work

[iis] Installed SSL certificate in certificate store, but it's not in IIS certificate list

Examples related to iis

Examples related to ssl-certificate