Forcing SSL Certificate to Associate with Server’s Private Key
Have you ever been handed a certificate exported (without the private key) from a server or directly from a CA to install on a different server than the one used to create the CSR? Whilst some IIS functions and apps allow you to use a certificate without a private key, there are others that demand it. In any case best practice is to import a certificate with the private key used to create the CSR in the first place. However, there are circumstances where this may not be possible. Perhaps the admin who installed the certificate on the original server forgot (or intentionally) to mark the private key as exportable. Perhaps this is not the first export of the certificate and the private key has got lost. In these events using these certificates without the proper private key can prevent applications and web services functioning. Classic examples are Lync and UM for Exchange.
Fortunately, there is a way to resolve this issue without purchasing a new certificate.
First we need to get the serial number of the certificate. If your certificate is not yet imported, please import this now. You can use the Certificate MMC Snap-in or if PFX file you can double click and install it. To get the serial number of the certificate either open the certificate and browse the details tab for the serial number or run this PowerShell command
Get-ChildItem -Path cert:\LocalMachine\my | Select-Object Subject,Serialnumber
Replace the Path with the correct one you installed the certificate. the above command uses the local machine personal store, which is usually the place certificates get installed.
This command will produce a similar output to this
Subject SerialNumber ------- ------------ CN=localhost 4CA2A1EF3CF850B24A6F8841382950AC Eemail@example.com, CN=goldenfrog-client, O=GoldenFr... 1A Efirstname.lastname@example.org, CN=GoldenFrog-Inc CA, O=GoldenFr... 00D776530B7B49A6EC
Copy the serial number of the certificate you want to edit from the table
Next we need to associate forcefully the private key of the server to the certificate we have imported.
Open Command Prompt as an administrator and type on the following command
certutil.exe -repairstore my <serial number of cert>
And Magic the certificate is now associated with the server’s private key
Mark is an Independent Microsoft Teams Consultant with over 15 years experience in Microsoft Technology. Mark is the founder of Commsverse, a dedicated Microsoft Teams conference and former MVP. You can follow him on twitter @UnifiedVale