https://www.digicert.com/ssl-certificate-installation-microsoft-iis-7.htm
https://myexchangelync.wordpress.com/2014/12/14/create-a-csr-with-sha256-signature-algorithm/
https://www.godaddy.com/help/generating-iis-7-csrs-certificate-signing-requests-4800
https://community.spiceworks.com/topic/798644-sha2-certificate-requests-iis
Entrust Certificate Services Support Knowledge Base
Audience: General
Last Modified: 2011-01-18 08:42:02.0
Last Modified: 2011-01-18 08:42:02.0
TN 7905 - What are the steps to recover the private key of an SSL certificate in an IIS environment?
Problem:The SSL certificate is installed but the private key is missing. What are the steps to recover the private key of an SSL certificate in a Microsoft Internet Information Services (IIS) environment?
Cause:
Entrust SSL certificates do not include a private key. The private key resides on the server that generated the Certificate Signing Request (CSR). When installed correctly, the Server Certificate will match up with the private key as displayed below.
If the private key is missing,the circled message indicating a good correspondence with private key will be missing as shown here:
this could mean:
- The certificate is not being installed on the same server that generated the CSR.
- The pending request was deleted from IIS.
- The certificate was installed through the Certificate Import Wizard rather than through IIS.
Solution:
To recover the private key, follow the procedures below.
Part 1 - Snap-In Configuration
Use the following steps to add the Certificates snap-in:
Use the following steps to add the Certificates snap-in:
- Click Start, and then click Run.
- Type in mmc and click OK.
- From the File menu, choose Add/Remove Snap-in.
- In the new window that appears, click Add.
- Select Certificates and then click Add.
- Choose the Computer account option and click Next.
- Select Local Computer and then click Finish
- Click Close, and then click OK. The snap-in for Certificates (Local Computer) appears in the console.
Part 2 - Import the Server CertificateUse the following steps to import your Server Certificate into the Personal certificate store. (If the Server Certificate has already been imported into the Personal store, you may skip this step.)
From the MMC console opened in the above steps:
- Expand the Certificates (Local Computer) tree in the left preview panel.
- Right-click Personal and select All Tasks > Import.
- The Certificate Import Wizard appears. Click Next.
- Browse to the location of your Server Certificate file and click Next.
- Select Place all certificates in the following store and click Next.
- Click Finish to complete the Certificate Import Wizard.
- A dialog box appears indicating the import was successful. Click OK.
Use the following steps to recover your private key using the certutil command.
1. Locate your Server Certificate file by opening Microsoft Internet Information Services Manager, then on the right side select Tools > Internet Information Services (IIS) Manager.
1. Locate your Server Certificate file by opening Microsoft Internet Information Services Manager, then on the right side select Tools > Internet Information Services (IIS) Manager.
2. Once in IIS Manager, select your server, then on the right side, Server Certificates. You will see all certificates currently on that server. Scroll over the certificate you are trying to install, right click, then select View.
3. There, you can view the certificate information. As you can see, there is no indication of a good correspondence with the private key.
4. Click the Details tab. Write down the serial number of the certificate.
4. Click the Details tab. Write down the serial number of the certificate.
5. We will need to recover the private key using a command prompt. In order to recover the key, we must do so using command prompt as an administrator. To do so, slick Start, then on then open all App. Under Windows System, find Command Prompt. Right click Command prompt and then Run as administrator. Confirm the action and continue.
6. Make sure you are on the right directory in command prompt.
e.g., if your server directory is “c:/users/srv2012_r2_std_x64”, on the command line type “cd c:/users/srv2012_r2_std_x64”. Note that “cd” is the command used to change directories in command prompt.
7. Now that we are in the right place, enter the following command at the prompt: certutil –repairstore my <serial number> where <serial number> is the serial number obtained in Step 2 with spaces removed.
8. If Windows is able to recover the private key, you see the message:
CertUtil: -repairstore command completed successfully.
If your private key was recovered successfully, your Server Certificate installation is complete.
If the private key was not recovered successfully, you will need to generate a new Certificate Signing Request and submit it to Entrust Datacard to have your certificate re-issued, or re-issue the certificate using your ECS Enterprise account.
Check that your Certificate has been successfully installed by testing it on the Entrust SSL Install Checker.
Part 3 - Recover the Private Key
Use the following steps to recover your private key using the certutil command.
- Locate your Server Certificate file (for example, server.cer) and double-click it. The Certificate dialog box appears.
- Click the Details tab. Write down the 8-character serial number of the certificate.
- Click Start > Run.
- Type cmd and click OK. A Command Prompt window opens.
- Enter the following command at the prompt:
certutil –repairstore my <serial number>
Where <serial number> is the 8-character serial number obtained in Step 2 (spaces removed).
6. If Windows is able to recover the private key, you see the following message:
CertUtil: -repairstore command completed successfully.
7. If your private key was recovered successfully, your Server Certificate installation is complete. If the private key was not recovered successfully, you will need to generate a new Certificate Signing Request and submit it to Entrust to have your certificate re-issued.
Affected Products:
- Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
certutil –repairstore my <serial number> the serial number varies. You should import the cert to person or webhosting or both and in the root
---------------------------------------------------
---------------------------------------------------
In the MMC (run as admin), Certificates
Friendly name=server name
Click on subject tab and fill
this in:
Subject
name:
Common
Name = ServerName
Organizational
unit = Web
Organization
= DSHS/CATS
Locality
= Olympia
State
= WA
Country
= US
Alternate
name:
DNS =
ServerName
IPV4
: IP Address of the Server
Private key tab
expand key options
key size=2048
make private key exportable
Click ok, next, save file
For the Back end Server, please
follow this process to request a certificate
Login to backend server
1. Open
IIS
2. On
the Main node, double click on the Server Certificate
3. Create
Certificate request
a. Common
Name : IP Address of the Server.
b.
Organization =
DSHS/CATS
c.
Organizational unit
= Web
d.
Locality = Olympia
e.
State = WA
f.
Country = US
4.
Click Next
5.
Cryptographic
provider : Don’t change any thing.
a.
Bit Length :
2048
6.
Click Next
7.
Give a filename and
save on the desktop or any folder as you like and send the save file for cert
generation.
