Installed SSL certificate in certificate store, but it's not in IIS certificate list

After installation of a wildcard SSL certificate into the certificate store, the certificate does not appear in the IIS certificate list for use with site bindings.

The certificate was installed correctly, but apparently no key was included with the certificate.

How can you fix this issue without doing a new request or contacting someone for the key (if, for instance, it's the day before a launch? ;-) )

Solution 1:

I ran into this problem today. Due to the timeframe and some other issues, getting the key from the provider was not possible.

I found the following solution here (under pixelloa's comment) and thought it would be good to have the answer on Stack Overflow as well.

If the certificate does not have a private key, you can fix this by doing the following:

To fix this, use the MMC snapin to import the cert into PERSONAL store of the computer account, click it and grab the serial # line. Go to dos, run certutil -repairstore my "paste the serial # in here" (you need the quotes unless you remove the spaces from the serial number) then refresh MMC with personal certs, right click it - export - select everything except DELETE PRIVATE KEY, hit ok. Then go to IIS and IMPORT cert instead of finish request.

For what it's worth, all I actually had to do was run the certutil -repairstore command, and my certificate worked. I did run the export and set a password for the export itself, but I did not have to reimport the certificate. The certificate now shows up in IIS's list of certificates and can be used for HTTPS bindings.

I hope this helped someone.

Solution 2:

Had the same problem and found the easy solution thanks to inspiration from the above answers. Here's a quick step-by-step summary:

1. First open MMC with the Certificates plug in.
2. Drag-n-drop your new certificate (missing the key on the upper left part of the certificate icon) to the "Personal" certificate store. This I did because the name of the "Web Hosting" store is a so called friendly name and not the real name of the store, and I could not remember the real name which is needed for the command prompt utility certutil. Instead I just remembered that the real name of "Personal" is "My". Makes the rest easy, and once done I just move the certificate back into "Web Hosting".
3. Once the new certificate (missing the key) is in the "Personal" store, start a command prompt and issue the following command: certutil -store "My" (assuming the quotes are needed)
4. Note the serial number of your certificate. It's in the first line of the certificate dump. If you have other certificates in the "My" store, then you need to find the one you just moved. Look at expiration date and name for example. Mark and copy the serial number.
5. Now issue the command certutil -repairstore "My" <paste serial number here> and note the private key is verified.
6. Move the certificate back to the "Web Hosting" store and refresh. You should now see the certificate icon overlaid with a small key icon in the upper left part.
7. Now you should be able to choose the certificate from inside the IIS bindings dialog.

Have fun!

Solution 3:

If you are using Godaddy as your certificate authority, and you are running into this issue; All you have to do is Re-key the certificate. I tried the above certutil -repairstore my "paste the serial # in here" but the system wanted me to use smart card for authentication. (Running IIS10 on Server 2016 and 2012R2)

When I Created a Certificate Request, gone through the process of Re-keying and gone through the process of "Complete Certificate Request" I was able to sucessfuly configure "Bindings..." without the certificate disappearing.