[iis] Installed SSL certificate in certificate store, but it's not in IIS certificate list

After installation of a wildcard SSL certificate into the certificate store, the certificate does not appear in the IIS certificate list for use with site bindings.

The certificate was installed correctly, but apparently no key was included with the certificate.

How can you fix this issue without doing a new request or contacting someone for the key (if, for instance, it's the day before a launch? ;-) )

I had similar issue and tried all possible combinations as well as accepted answer without any luck. Finally I found DigiCert SSL Utility which helped me to install certificate in couple clicks. You can download it here. Hope this answer will save some time for others.

The certutil -repairstore command mentioned in other answers worked for me, but if your certificate is in the "Web Hosting" store and you don't want to move it, the real (internal) name of the "Web Hosting" store is "WebHosting", for anyone following the steps mentioned here.

To solve, you need to import Private Certificate (PFX).

If you don't have PFX, use OpenSSL to generate it:

• Download&Install OpenSSL

• Open command line and run:

  openssl pkcs12 -export -in public_certificate.cer -inkey server.key -out private_certificate.pfx

Than, install private_certificate.pfx (right click -> Install Certificate).

Now, your certificate does not disappear anymore and you can bind Website over SSL.

A great resource: https://blog.lextudio.com/the-whole-story-of-server-certificate-disappears-in-iis-7-7-5-8-8-5-10-0-after-installing-it-why-b66e802baa38

This happens when the installed certificate does not contain your private key.

In order to check if the certificate contains the private key and how to repair it use this nice tutorial provided by Entrust

Had the same problem and found the easy solution thanks to inspiration from the above answers. Here's a quick step-by-step summary:

1. First open MMC with the Certificates plug in.
2. Drag-n-drop your new certificate (missing the key on the upper left part of the certificate icon) to the "Personal" certificate store. This I did because the name of the "Web Hosting" store is a so called friendly name and not the real name of the store, and I could not remember the real name which is needed for the command prompt utility certutil. Instead I just remembered that the real name of "Personal" is "My". Makes the rest easy, and once done I just move the certificate back into "Web Hosting".
3. Once the new certificate (missing the key) is in the "Personal" store, start a command prompt and issue the following command: certutil -store "My" (assuming the quotes are needed)
4. Note the serial number of your certificate. It's in the first line of the certificate dump. If you have other certificates in the "My" store, then you need to find the one you just moved. Look at expiration date and name for example. Mark and copy the serial number.
5. Now issue the command certutil -repairstore "My" <paste serial number here> and note the private key is verified.
6. Move the certificate back to the "Web Hosting" store and refresh. You should now see the certificate icon overlaid with a small key icon in the upper left part.
7. Now you should be able to choose the certificate from inside the IIS bindings dialog.

Have fun!

For anyone who's using a GoDaddy generated certificate for IIS, you have to generate the certificate request from IIS. The instructions on the GoDaddy site is incorrect, hope this saves someone some time.

https://ca.godaddy.com/help/iis-8windows-server-2012-generate-csrs-certificate-signing-requests-4950

Found the answer from a guy named mcdunbus on a GoDaddy forum. Here is article https://www.godaddy.com/community/SSL-And-Security/Trouble-installing-SSL-Certificate-on-IIS-8n-Windows-2012/td-p/39890#

when you have one certificate and 2 different web servers here how I fixed it:

1. List item
2. You should generate certificate at one of the servers as usually in IIS Then at that server you can also complete the certificate in IIS.
3. Run the program DigiCertUtil and export that working certificate
4. Go to the other web server in IIS in security certificates Import that file from step 3.
5. Then use that certificate to create the Binding.

I had a key file & a crt file but it wouldn't show in IIS because I couldn't attach the key to the certificate during the import. Ended up creating a pfx file containing the certificate & the key, and after that it worked (When importing to the computer and not local user)

Created the file with OpenSSL (Download first).

openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt

The Issue is the certificate request(CSR) was not generated from IIS. If you generated from Other sources e.g OpenSSL it will bring the issue. You need to generate the Certificate request(CSR) from IIS -> Create a certificate request, then enter all the details and then send to the vendor for regeneration of the SSL certificate. Mine worked properly after that.

This can happen if you e.g. generate a new certificate request after having your old certificate request approved. The new request will cause IIS to delete the private key associated with your first certificate request, and hence when you import the (now signed) certificate associated with your first request, it will not have a private key associated with it. Since it doesn't have a private key, it can't be used for SSL binding and will not appear in the IIS manager.

You may be able to restore the private key, since it is stored more than one place on your computer:

1. Start -> mmc.exe -> Add snap-in -> Certificates -> Computer account. Verify that the installed certificate appears in the "Personal/Certificates" tab. If not, import it. A missing private key is visualized by the icon next to the certificate not containing a key icon.
2. Open the certificate (.cer) file from disk by double-clicking on it. In the Details tab, note the serial number.
3. Start -> cmd.exe. Type "certutil -repairstore my (serialnumberhere)". The serial number should have no spaces. Could be 8 or more digits.

If the certutil command returns with "-repairstore command completed successfully", the private key of your certificate was most likely recovered. You can verify this by going to the MMC certificate list and hitting F5 -- if successful, your certificate will now have a small key in its icon. You will then be able to select your certificate from IIS.

If this fails, your private key is no longer available and you need to send a new certificate signing request to the signing authority.

I had the very same issue. Problem here is that I installed godaddy certificate on local system and then copied on server which hence didnt have private key. So, use online converters to convert ssl to .pfx and then install it. Would definitely work.

We had a similar issue on our team trying to apply a wildcard certificate on our new VM.

So it might be a different situation were we were trying to copy our existing certificate to a new VM, but ended up with the same problem( certificate missing from IIS certificate list).

This article (link below) helped us:

So what did the trick was to export the certificate from the original server and include the private key during the export process( add a password to protect your certificate)

then import it to the new server where you want to install the certificate. Mark the key as exportable so that it can be exported later on.

I do not want to do a step by step since its well documented in the article.

https://www.digicert.com/kb/ssl-support/certificate-pfx-file-export-import-iis-10.htm

If you are using Godaddy as your certificate authority, and you are running into this issue; All you have to do is Re-key the certificate. I tried the above certutil -repairstore my "paste the serial # in here" but the system wanted me to use smart card for authentication. (Running IIS10 on Server 2016 and 2012R2)

When I Created a Certificate Request, gone through the process of Re-keying and gone through the process of "Complete Certificate Request" I was able to sucessfuly configure "Bindings..." without the certificate disappearing.

had the same problem.

You need to ensure you are installing on the same server as the one you created the "CSR" file from. Otherwise, it won't have the private keys.

If you got your cert, just ask to re-key, it will ask for a new CSR file. I.e. Go Daddy allows you to re-key, just find the cert, and hit "manage"

I am not expert at this stuff, but this managed to work.

You can export a pfx from IIS on another server, if you have a server with the cert successfully installed.

Update:

Working on another round of certificate updates (a renewal) I ran into this problem again, on every server I tried. @Geir's answer didn't work, but it did give me an idea. I identified the server where I had generated the Certificate Request and successfully installed the new cert there. From that server I was able to export a pfx and then import the pfx version on the rest of the servers. No need to redo the Cert Request.

If you are using Godaddy certificate, then the issue is that the machine on which the certificate request is created and the machine on which is you are trying to complete the request are different. So do the following:

1. Use the "generated-private-key.txt" file that was created the godaddy. Use this file to create .pfx certificate(with private key) you can use OpenSSL command:

   openssl pkcs12 -export -out {mydomain}.pfx -inkey generated-private-key.txt -in {your .crt file}

2. The above command will generate certificate with private key {mydomain}.pfx.

3. Import this certificate in IIS using "Import" option

I had the same in IIS 10.

I fixed it by importing the .pfx file using IIS manager.

Select server root (above the sites-node), click 'Server Certificates' in the right hand pane and import pfx there. Then I could select it from the dropdown when creating ssl binding for a website under sites