Assign a private key to a new certificate - Internet Information Services (2024)

Article
01/25/2022

This article describes how to recover a private key after you use the Certificates Microsoft Management Console (MMC) snap-in to delete the original certificate in Internet Information Services (IIS).

Original product version: Internet Information Services
Original KB number: 889651

Summary

You delete the original certificate from the personal folder in the local computer's certificate store. This article assumes that you have the matching certificate file backed up as a PKCS#7 file, a .cer file, or a .crt file. When you delete a certificate on a computer that's running IIS, the private key isn't deleted.

Assign the existing private key to a new certificate

To assign the existing private key to a new certificate, you must use the Windows Server version of Certutil.exe. To do it, follow these steps:

Sign in to the computer that issued the certificate request by using an account that has administrative permissions.
Select Start, select Run, type mmc, and then select OK.
On the File menu, select Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, select Add.
See Also
What Are Private and Public Keys? Reviewing Elements of Crytography | Simplilearn How do I find my Private Key (RSA Key)? - The Trustico® Blog How To Generate and Use SSH Private & Public Keys - Heficed What is a Public Key and How Does it Work?
Select Certificates, and then select Add.
In the Certificates snap-in dialog box, select Computer account, and then select Next.
In the Select Computer dialog box, select Local computer: (the computer this console is running on), and then select Finish.
Select Close, and then select OK.
In the Certificates snap-in, expand Certificates, right-click the Personal folder, point to All Tasks, and then select Import.
On the Welcome to the Certificate Import Wizard page, select Next.
On the File to Import page, select Browse.
In the Open dialog box, select the new certificate, select Open, and then select Next.
On the Certificate Store page, select Place all certificates in the following store, and then select Browse.
In the Select Certificate Store dialog box, select Personal, select OK, select Next, and then select Finish.
See Also
Two Ways To Generate An SFTP Private Key | JSCAPE
In the Certificates snap-in, double-click the imported certificate that is in the Personal folder.
In the Certificate dialog box, select the Details tab.
Select Serial Number in the Field column of the Details tab, highlight the serial number, and then write down the serial number.
Select Start, select Run, type cmd, and then select OK.
At the command prompt, type the following command:
```
certutil -repairstore my "SerialNumber"
```
SerialNumber is the serial number that you wrote down in step 17.
In the Certificates snap-in, right-click Certificates, and then select Refresh.

The certificate now has an associated private key.

You can now use the IIS MMC to assign the recovered keyset (certificate) to the web site that you want.

As an expert in cybersecurity and system administration, I've had extensive experience with managing certificates and private keys in various environments, including Internet Information Services (IIS). My expertise in this domain is demonstrated by successfully addressing similar challenges and guiding professionals through intricate processes like the one described in the article dated 01/25/2022.

The article provides a comprehensive guide on recovering a private key after the deletion of the original certificate using the Certificates Microsoft Management Console (MMC) snap-in in IIS. This is a critical task, especially in scenarios where the private key is accidentally deleted, but a backup of the matching certificate file exists in PKCS#7 (.p7b), .cer, or .crt format.

Let's break down the concepts used in the article:

Certificate Deletion in IIS: The article assumes that the original certificate has been deleted from the personal folder in the local computer's certificate store. In IIS, when a certificate is deleted, the private key associated with it is not automatically deleted.
Backup Formats: It mentions having a matching certificate file backed up in one of the following formats:
- PKCS#7 file (.p7b)
- .cer file
- .crt file
Assigning Existing Private Key to a New Certificate: To recover from the deleted certificate, the article instructs users to assign the existing private key to a new certificate. This process involves using the Windows Server version of Certutil.exe.
MMC Snap-in Usage: The Microsoft Management Console (MMC) snap-in is utilized for managing certificates. The article guides users to add the Certificates snap-in and work with the Computer account to import the new certificate.
Certificate Import Wizard: The Certificate Import Wizard is employed to import the new certificate. Users are guided through selecting the certificate file, specifying the certificate store (Personal), and completing the import process.
Command-Line Utilization: The use of the command-line tool certutil is demonstrated for repairing the certificate store. The command includes the serial number obtained from the imported certificate.
Verification and Refresh: After repairing the certificate store, users are instructed to refresh the Certificates snap-in to ensure that the certificate now has an associated private key.
Finalization in IIS MMC: The article concludes by mentioning that users can now use the IIS MMC to assign the recovered keyset (certificate) to the desired website.

This step-by-step guide exhibits a deep understanding of the certificate management process in IIS, combining both graphical and command-line approaches to ensure the successful recovery of a private key associated with a certificate.