SSL Certificate add failed when binding to port

I created a WebService using WCF. I'm doing self hosting and I want to enable HTTPS. From my understanding for this to happen, I need to create a certificate and bind to the port that I want to use.

Here are the steps that I've done to handle this:

  1. Created a Certificate on my local machine to act as the Root Certificate Authority
    • makecert -n "CN=My Root Certificate Authority" -r -sv RootCATest.pvk RootCATest.cer
  2. Opened MMC.exe and imported the saved .cer file into the "Trusted Root Certificate\Certificates\ folder
    • makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=MyMachineName" -ic RootCATest.cer -sr localmachine -ss my -sky exchange -pe MyMachineName.cer
  3. Created a temporary service certificate from the signed Root Certificate Authority

    • makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=MyMachineName" -ic RootCATest.cer -sr localmachine -ss my -sky exchange -pe MyMachineName.cer
  4. Tried to Bind the Certificate to the Port number (443 in this case)

    • netsh http add sslcert ipport=0.0.0.0:443 certhash=2c5ba85bcbca412a74fece02878a44b285c63981 appid={646937c0-1042-4e81-a3b6-47d678d68ba9}

The result from step 4 is the following error:

SSL Certificate add failed, Error 1312

A specified logon session does not exist. It may already have been terminated.

Does anyone have a clue why I might be getting this error?


I had the same error. The first time it occurred, as Micheal said, I had to move the certificate under Certificates(Local Computer) -->Personal -->Certificate folder. I had the same error when I imported the same certificate on another machine. The reason was that I was using certmgr.msc to import the certificate. . The window opened thus shows “Certificates – Current User”. Certificates imported using this window cause netsh to fail with the 1312 error. Make sure to use certificate snap-in in MMC to import certificates. The certificate snap-in from MMC shows “Certificates (Local Computer)”. This lets the netsh execution sail through.


SSL Certificate add failed, Error 1312

A specified logon session does not exist. It may already have been terminated.

I used to have the exact same problem and spent a couple days trying to figure out what the reason was.

To make the long story short: the problem is that you have installed the certificate on the winrm server that does not have PRIVATE KEY.

I have checked this several times. You have to delete your certificate and rebuild it by using makecert for instance, as it is described perfectly here: http://blogs.technet.com/b/jhoward/archive/2005/02/02/365323.aspx

You can easily check if your certificate has private a key as so: mmc - certificates - local machine - personal. Look at the icon of the certificate - it MUST have key sign on the icon.


I have bought an official Thawte certificate to secure a self hosted (console application) web service over a specific port on our internet server. I then have received the Thawte certificate and installed it with mmc on our Internet server (the certificate then was viewable under „Trusted Root Certification Authorities“ (with the key icon on the image, what shows that the certificate contains a private key what is mandatory to be able to bind it to a port b.t.w.) .

Next step was to enable the <port> for https:

netsh http add urlacl url=https://+:<port>/ user=everyone

(what was no problem)

Next step was to enable the port () for https:

netsh http add sslcert ipport=0.0.0.0:<port> certhash=<thumbprint to certificate> appid={<guid to application>}

This has failed with the error message:
SSL Certificate add failed, Error: 1312 A specified logon session does not exists. It may be already have been terminated.

I then have searched the Internet and tried various suggested workaround’s (without success).

The solution for my case was to add certstorename=Root to the netsh command:

netsh http add sslcert ipport=0.0.0.0:<port *1)> certstorename=Root certhash=<thumbprint to certificate *2)> appid={<guid to application *3)>}

Notes:
If no certstorename is applied to net netsh command, netsh takes the default, what is MY (what targets the certificate store: “Personal” where self signed certificates are stored normally).
Root targets the certificate store: „Trusted Root Certification Authorities“

*1): The port, you want to use the connection
*2): You can extract the thumbprint to the certificate, if you open the certificate (on a windows system, just doubleclick the certificate in explorer) - select tab “Details” and click on “Thumbprint”. The “thumbprint” then is showed and can be copied. Copy the Thumbprint and remove all spaces...
*3): As appid you can take any ID in the form {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} as the APPID is only informative. With the command “netsh http show sslcert” you can query the bound certificates on the whole machine and the will see informative, which appid is bound to which certificate (not really helpful in practice b.t.w.) In my case, I have took the (from VS generated) GUID to my web service application


I had been dealing with this issue and I'm using a self-hosted WCF service. I just made the breakthrough:

I had a certificate in the personnel folder for the Machine store. It expired and my manager issued a new one. The new one failed for me with this error. I tried a lot of stuff from Google but in the end, resolved the issue using a completely different solution.

I installed both certificates- the expired one and the newer one. Then I used this command to get a list of them:

certutil -store My

I get this output (info is fake and other certificate are not listed):

================ Certificate 1 ================
Serial Number: 6d
Issuer: [email protected], CN=VoiceTrust Server CA, OU=VoiceTrust Oper
ations, O=VoiceTrust
 NotBefore: 03-Jan-2013 3:33 PM
 NotAfter: 03-Mar-2013 3:33 PM
Subject: [email protected], CN=hornet.voicetrust.com, OU=Software Develop
ment, O=VoiceTrust eServices MENA FZ LLC, L=Dubai, C=AE
Non-root Certificate
Cert Hash(sha1): 98 5f a0 d3 11 6a 4b 64 3b db 0a a4 11 66 fc 08 28 74 7e 53
  Key Container = {E5BC0912-7808-4B89-B457-31946DE5990E}
  Unique container name: dfedfcc149408fb990a3bacd6d31126b_3277b2c9-9894-46d0-9b6
4-30f0d6589239
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Private key is NOT exportable
Encryption test passed

================ Certificate 2 ================
Serial Number: 6d
Issuer: [email protected], CN=VoiceTrust Server CA, OU=VoiceTrust Oper
ations, O=VoiceTrust
 NotBefore: 03-Nov-2013 3:33 PM
 NotAfter: 03-Dec-2013 3:33 PM
Subject: [email protected], CN=hornet.voicetrust.com, OU=Software Develop
ment, O=VoiceTrust eServices MENA FZ LLC, L=Dubai, C=AE
Non-root Certificate
Cert Hash(sha1): 30 5f a0 d3 11 6a 4b 64 3b db 0a a4 11 66 fc 08 28 74 7e 53
  Key Container = {E5BC0912-7808-4B89-B457-31946DE5960E}
  *Unique container name:* 55edfcc149408fb990a3bacd6d31126b_3277b2c9-9894-46d0-9b6
4-30f0d6589239
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Private key is NOT exportable
Encryption test passed

Now, everything seems OK but certificate 1 is expired and works if I try to bind it to a port whereas Certificate 2 fails with Error 1312.

The key difference that baffled me was the Unique container name property. It should be representing a physical key file on the hard drive in the %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\

For Certificate 1, the file was there but for Certificate 2, there was no such file. After searching I found the file against Certificate 2 in the sub folder of %AppData%\Microsoft\Crypto\ folder. That's user specific keys not Machine level keys. It's amazing that the certificate is being imported into Computer store yet it always keeps the container key of User's store.

I deleted the '55edfcc149408fb990a3bacd6d31126b_3277b2c9-9894-46d0-9b64-30f0d6589239' file under the AppData folder and ran the repair command for my certificate 2 on the store:

certutil -repairstore My 2

This time, the Unique container name was reflecting a file in the proper folder under '%ProgramData%\Microsoft\Crypto\' and everything started working.

Hope this is helpful to someone.


I've been fighting error 1312 all day, what fixed it for me was to import the certificate in mmc as a .p12 file instead of a .crt. If you are creating it with OpenSSL then once you have created the .crt, do:

pkcs12 -export -in server.crt -inkey server.key -name “Your Name” -out server.p12

As described. When you go to import it in mmc it will be a called "Personal Information Exchange" file (and apparently a .pfx file would also work).

I'm new to writing servers and dealing with SSL and I have no idea why this works, but I hope it helps.