IIS8 Centralized Certificates Not Recognizing Certs ("The specified private key password is not correct.")

I have a pretty straight forward setup: IIS 8 on Windows Server 2012 R2 2x ARR servers with NLB 3x Web content servers in a web farm

ARR servers have IIS shared configuration and IIS web content servers have shared configuration. I am able to sucessfully browse to a domain pointed to my ARR NLB IP over HTTP and hit my web servers in the web farm.

My problem is when I add certificates to the CCS share, they show up with a red X and the error "the specified private key password is not correct.". I have no key password specified in the CCS feature settings, and I generated a CSR and key without encryption to issue these test certificates from a valid CA.

The CSR and key's are all generated through a custom internal SSL utility which is just using OpenSSL. I ran the certificate and key through some validation tools on sslshopper.com and they verified to match and the key was able to be read as it was not encrypted.

I generated the PKCS#12 (.pfx) file using OpenSSL with my un-encrypted key and certificate issued from my CA. I am able to import the generated PFX into my cert store on my local machine, view it, and export it all without issue. Once strange thing I noticed is that when I exported the cert with key from my personal cert store on my machine and added it to the CCS, the error was that the file system could not find the file specified, even though it's displaying the cert with an error which is located in the share.

Any assistance would be greatly appreciated.

Image of error


In regards to the issue you are seeing where it responds with the file system could not find the file specified, we had a similar issue.

Our certificate manager always uses Linux/OpenSSL to create the PFX files, and the output file have missing header information that OpenSSL doesn't care about. The fix for us was to import the cert into CertMgr.msc on Windows and then re-export it to a new PFX; once imported into the CCS, all worked as it should.


I had the exact error today on IIS Windows Server 2016. After some searching I found the answer. It seems there are issues with impersonation when using IIS Manager GUI and the Centralized Certificate Store. I was logged in with my normal domain admin account but had configured the certificate store network share to be mounted as a different account (which had sufficient rights). I changed everything to Administrator, logged in as Administrator and everything worked. Evidently it's only a problem with the GUI but in this case it was pretty misleading. See this thread for more info: https://github.com/ridercz/AutoACME/issues/14