IIS8 Centralized Certificates Not Recognizing Certs ("The specified private key password is not correct.")

windows-server-2012-r2 iis-8

I have a pretty straight forward setup: IIS 8 on Windows Server 2012 R2 2x ARR servers with NLB 3x Web content servers in a web farm

ARR servers have IIS shared configuration and IIS web content servers have shared configuration. I am able to sucessfully browse to a domain pointed to my ARR NLB IP over HTTP and hit my web servers in the web farm.

My problem is when I add certificates to the CCS share, they show up with a red X and the error "the specified private key password is not correct.". I have no key password specified in the CCS feature settings, and I generated a CSR and key without encryption to issue these test certificates from a valid CA.

The CSR and key's are all generated through a custom internal SSL utility which is just using OpenSSL. I ran the certificate and key through some validation tools on sslshopper.com and they verified to match and the key was able to be read as it was not encrypted.

I generated the PKCS#12 (.pfx) file using OpenSSL with my un-encrypted key and certificate issued from my CA. I am able to import the generated PFX into my cert store on my local machine, view it, and export it all without issue. Once strange thing I noticed is that when I exported the cert with key from my personal cert store on my machine and added it to the CCS, the error was that the file system could not find the file specified, even though it's displaying the cert with an error which is located in the share.

Any assistance would be greatly appreciated.

Image of error


In regards to the issue you are seeing where it responds with the file system could not find the file specified, we had a similar issue.

Our certificate manager always uses Linux/OpenSSL to create the PFX files, and the output file have missing header information that OpenSSL doesn't care about. The fix for us was to import the cert into CertMgr.msc on Windows and then re-export it to a new PFX; once imported into the CCS, all worked as it should.


I had the exact error today on IIS Windows Server 2016. After some searching I found the answer. It seems there are issues with impersonation when using IIS Manager GUI and the Centralized Certificate Store. I was logged in with my normal domain admin account but had configured the certificate store network share to be mounted as a different account (which had sufficient rights). I changed everything to Administrator, logged in as Administrator and everything worked. Evidently it's only a problem with the GUI but in this case it was pretty misleading. See this thread for more info: https://github.com/ridercz/AutoACME/issues/14

Related

Kubernetes pod /etc/resolv.conf has the wrong nameserver
What are the mechanics behind a CIFS "readonly" mount?
TLD servers and ADDITIONAL section [duplicate]
Why does my MySQL server suddenly not start. ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) [closed]
How do I add a static route in Windows?
Is it possible to use "route ADD ... MASK ..." command to exclude an application or website from VPN connection?
Can I use glue records as authoritative answer if I cannot get the authoritative answer
Postgresql 13 on CentOS8 fail to start at boot time, but can be started manualy
WUSA Error code 3010
Executing a command before starting a systemd service [duplicate]
Why don't arrows keys work in Microsoft Excel?
How can I count the duration of my Skype video calls?