Forcing SSL Certificate to Associate with Server’s Private Key

Have you ever been handed a certificate exported (without the private key) from a server or directly from a CA to install on a different server than the one used to create the CSR? Whilst some IIS functions and apps allow you to use a certificate without a private key, there are others that demand it. In any case best practice is to import a certificate with the private key used to create the CSR in the first place. However, there are circumstances where this may not be possible. Perhaps the admin who installed the certificate on the original server forgot (or intentionally) to mark the private key as exportable. Perhaps this is not the first export of the certificate and the private key has got lost. In these events using these certificates without the proper private key can prevent applications and web services functioning. Classic examples are Lync and UM for Exchange.

Fortunately, there is a way to resolve this issue without purchasing a new certificate.

First we need to get the serial number of the certificate. If your certificate is not yet imported, please import this now. You can use the Certificate MMC Snap-in or if PFX file you can double click and install it. To get the serial number of the certificate either open the certificate and browse the details tab for the serial number or run this PowerShell command

Get-ChildItem -Path cert:\LocalMachine\my | Select-Object Subject,Serialnumber

Replace the Path with the correct one you installed the certificate. the above command uses the local machine personal store, which is usually the place certificates get installed.

This command will produce a similar output to this

Subject                                                     SerialNumber
-------                                                     ------------
CN=localhost                                                4CA2A1EF3CF850B24A6F8841382950AC, CN=goldenfrog-client, O=GoldenFr... 1A, CN=GoldenFrog-Inc CA, O=GoldenFr... 00D776530B7B49A6EC

Copy the serial number of the certificate you want to edit from the table

Next we need to associate forcefully the private key of the server to the certificate we have imported.

Open Command Prompt as an administrator and type on the following command

certutil.exe -repairstore my <serial number of cert>

And Magic the certificate is now associated with the server’s private key


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s