Installed SSL certificate in certificate store, but it's not in IIS certificate list

Question

After installation of a wildcard SSL certificate into the certificate store, the certificate does not appear in the IIS certificate list for use with site bindings.

Answer 1

This happens when the installed certificate does not contain your private key.

In order to check if the certificate contains the private key and how to repair it use this nice tutorial provided by Entrust

Answer 2

This can happen if you e.g. generate a new certificate request after having your old certificate request approved. The new request will cause IIS to delete the private key associated with your first certificate request, and hence when you import the (now signed) certificate associated with your first request, it will not have a private key associated with it. Since it doesn't have a private key, it can't be used for SSL binding and will not appear in the IIS manager.

You may be able to restore the private key, since it is stored more than one place on your computer:

1. Start -> mmc.exe -> Add snap-in -> Certificates -> Computer account. Verify that the installed certificate appears in the "Personal/Certificates" tab. If not, import it. A missing private key is visualized by the icon next to the certificate not containing a key icon.
2. Open the certificate (.cer) file from disk by double-clicking on it. In the Details tab, note the serial number.
3. Start -> cmd.exe. Type "certutil -repairstore my (serialnumberhere)". The serial number should have no spaces. Could be 8 or more digits.

If the certutil command returns with "-repairstore command completed successfully", the private key of your certificate was most likely recovered. You can verify this by going to the MMC certificate list and hitting F5 -- if successful, your certificate will now have a small key in its icon. You will then be able to select your certificate from IIS.

If this fails, your private key is no longer available and you need to send a new certificate signing request to the signing authority.

Answer 3

I had similar issue and tried all possible combinations as well as accepted answer without any luck. Finally I found DigiCert SSL Utility which helped me to install certificate in couple clicks. You can download it here. Hope this answer will save some time for others.

Answer 4

To solve, you need to import Private Certificate (PFX).

If you don't have PFX, use OpenSSL to generate it:

• Download&Install OpenSSL

• Open command line and run:

  openssl pkcs12 -export -in public_certificate.cer -inkey server.key -out private_certificate.pfx

Than, install private_certificate.pfx (right click -> Install Certificate).

Now, your certificate does not disappear anymore and you can bind Website over SSL.

A great resource: https://blog.lextudio.com/the-whole-story-of-server-certificate-disappears-in-iis-7-7-5-8-8-5-10-0-after-installing-it-why-b66e802baa38

Answer 5

I had the same in IIS 10.

I fixed it by importing the .pfx file using IIS manager.

Select server root (above the sites-node), click 'Server Certificates' in the right hand pane and import pfx there. Then I could select it from the dropdown when creating ssl binding for a website under sites

Answer 6

I ran into this problem today. Due to the timeframe and some other issues, getting the key from the provider was not possible.

I found the following solution here (under pixelloa's comment) and thought it would be good to have the answer on Stack Overflow as well.

If the certificate does not have a private key, you can fix this by doing the following:

To fix this, use the MMC snapin to import the cert into PERSONAL store of the computer account, click it and grab the serial # line. Go to dos, run certutil -repairstore my "paste the serial # in here" (you need the quotes unless you remove the spaces from the serial number) then refresh MMC with personal certs, right click it - export - select everything except DELETE PRIVATE KEY, hit ok. Then go to IIS and IMPORT cert instead of finish request.

For what it's worth, all I actually had to do was run the certutil -repairstore command, and my certificate worked. I did run the export and set a password for the export itself, but I did not have to reimport the certificate. The certificate now shows up in IIS's list of certificates and can be used for HTTPS bindings.

I hope this helped someone.