SSL Certificate Disappearing from IIS

Question

This may seem like a duplicate of this and it kind of is but none of the solutions I tried worked for me! Here is the related Question:

Installed SSL certificate in certificate store, but it's not in IIS certificate list

My system is Windows 2016 running IIS 10. We issued a CSR file using IIS using *.mydomain.com (nothing in the Common Name, I think, because that will get named upon receiving GoDaddy's response). Our client went to GoDaddy.com, purchased a Wild Card certificate, and sent me a zip file with a .p7b and a .crt file. I installed the .p7b in the Intermediate Certificate section, per GD instructions. So now in the Certificate is in the Personal folder with info like 'issued to *.mydomain.com' and friendly name being 'gis.mydomain.com'.

But the Certificate does not have Private Key--and I think that's the problem: The Certificate disappears in IIS manager. When I try the certutil -repairstore command I get a prompt for a Card insertion.

Here is a fix I am thinking about: From the Certificate Enrollement Requests part of the console, export to a pfx file, then, using OpenSSL, make a PEM file. Then create a new pfx file to Import to IIS; problem is that the new pfx file creation gives me error "No Certificate Matches Private Key". Here is the command:

pkcs12 -export -in 1d4c26d43a4da203.crt -inkey my.pem -out final.pfx

Please note that Rekeying at GoDaddy may not help: Their .CRT file seems to be generated without the Private Key. Also, DigiCert is unable to find Private Key on the server even though the CSR file was created on the same server.

What are my options?

Thanks!

Answer 1

I fixed this issue by following the steps here:

https://www.namecheap.com/support/knowledgebase/article.aspx/9773/2238/ssl-disappears-from-the-certificate-list-on-windows-server/

Specifically, these steps:

Open Microsoft Management Console (MMC) as an Administrator. To open MMC, press Win+R combination, type in mmc and click OK.

• Select Add/Remove Snap-in and choose Certificates and click Add.

• Choose Computer account in the Certificates snap-in window, click Next.

• Tick Local computer in the Select computer box, then click Finish.

• Locate the certificate that was imported when completing the certificate request. The certificate should be in the Personal store. Note that the icon of the certificate next to the domain name does not have a key on it; that means that no private key is assigned to the certificate.

• Double-click the certificate and go to Details tab. In certificate details locate the Serial Number field, click on it and copy its value.

• In a command prompt type: certutil -repairstore my Serial_number from the step above. Make sure the serial number of your certificate does not contain any spaces. It should be a single string of symbols.

• You can now refresh the list of server certificates in IIS Manager to see the certificate. You may need to close and reopen IIS.

UPDATE

• The certificate store name for Web Hosting is webHosting. Use this in place of "my" which is the Personal cert store.
• If you have multiple certificates, you only need to run certutil -repairstore for the first one. Others install correctly via the Complete Certificate Request in IIS (ie, they do not disappear).

UPDATE II

With GoDaddy, you get 3 files: .crt, .pem, .p7b. IIS asks for a .cer file to complete CSR. This is how you convert to .cer.

Convert your .crt file to a .cer file

- Locate your downloaded .crt file, and double-click to open it.
- Select the Details tab, and then the Copy to File button.
- Select Next in the Certificate Wizard.
- Select Base-64 encoded X.509(.CER) and then select Next.
- Select Browse, locate where you want to save your .CER file, and type in a name for your certificate.
- Select Next and then Finished.

Answer 2

You need to convert the certificate to .pfx file and include your private key.

https://www.ssls.com/knowledgebase/how-to-install-an-ssl-on-a-windows-server-when-the-csr-was-generated-elsewhere/

Answer 3

At last Fixed!!

Step 1 - Go to your servers IIS

Step 2 - Select your server and choose SSL Certificate from middle panel

Step 3 - From the action panel on the right choose "Create Certificate Request"

Step 4 - Fill in the necessary details (common name = domain name, rest not so important)

Step 5 - after completing the wizard you will be provided with a .CSR file open the file in notepad and CTRL-A CTRL-C.

Step 6 - Go to the product page of your godaddy account from there go to SSL and click manage.

Step 7(optional) - To check if everything's fine with your CSR file, In manage SSL page click "SSL Tools" and from there choose CSR Decoder, you'll be taken to a page where you can paste the CSR and if results are shown you are good move to step 8.

Step 8 - Go back to Step 6, choose your SSL linked to the DOMAIN.

Step 9 - From the SSL Dashboard once you scroll down a bit you'll see the REKEY option, click on it.

Step 10 - Paste the CSR texts in the space provided

Step 11 - Click "Add Change"

Step 12 - Scroll down, click "Submit All Changes"

Step 13 - After the SSL is reissued(5-10 MINS), download the zip files for IIS server.

Step 14 - That's it , you should be able to add the new .CES file into the IIS without it disappearing.

Let me know if this worked for everyone.

Answer 4

There is one more use case under which IIS server certificates gets disappear when we create the Custom CSR from MMC -> Advanced Operations -> Create Custom Request and choose the Enhanced Key Usage purpose as "Client Authentication" instead "Server Authentication" and since we are uploading the certificate to IIS under Server Certificates so it should be for "Server Authentication" to show up or not disappear on IIS -> Server Certificates

Fix -

1. Delete the certificate from MMC and make sure it is removed after refreshing
2. Generate the CSR using MMC Custom Request option and Choose "Server Authentication" in case of the purpose for key usage while generating the CSR using the Custom Request Option from MMC
3. Generate the Cert and signed by CA for the CSR generated in Step-2
4. Complete the Certificate Request from IIS and certificate should be available perfectly fine in MMC as well in IIS -> Server Certificate

This should work fine !

Answer 5

Nothing worked until I followed GoDaddy's instructions per https://www.godaddy.com/help/rekey-my-certificate-4976 and installed the Re-Keyed Certificate. I don't know what had happened to have caused the failure. I had followed the exact steps earlier but what the client provided did not work first time. My guess is that the CSR file was generated when the server machine was in some pending major Windows Update and after the Update the Private Key stored in the OS was somehow lost/inaccessible.

Oh well, moving on.