SSL Certificate Disappearing from IIS

2
votes

This may seem like a duplicate of this and it kind of is but none of the solutions I tried worked for me! Here is the related Question:

Installed SSL certificate in certificate store, but it's not in IIS certificate list

My system is Windows 2016 running IIS 10. We issued a CSR file using IIS using *.mydomain.com (nothing in the Common Name, I think, because that will get named upon receiving GoDaddy's response). Our client went to GoDaddy.com, purchased a Wild Card certificate, and sent me a zip file with a .p7b and a .crt file. I installed the .p7b in the Intermediate Certificate section, per GD instructions. So now in the Certificate is in the Personal folder with info like 'issued to *.mydomain.com' and friendly name being 'gis.mydomain.com'.

But the Certificate does not have Private Key--and I think that's the problem: The Certificate disappears in IIS manager. When I try the certutil -repairstore command I get a prompt for a Card insertion.

Here is a fix I am thinking about: From the Certificate Enrollement Requests part of the console, export to a pfx file, then, using OpenSSL, make a PEM file. Then create a new pfx file to Import to IIS; problem is that the new pfx file creation gives me error "No Certificate Matches Private Key". Here is the command:

pkcs12 -export -in 1d4c26d43a4da203.crt -inkey my.pem -out final.pfx

Please note that Rekeying at GoDaddy may not help: Their .CRT file seems to be generated without the Private Key. Also, DigiCert is unable to find Private Key on the server even though the CSR file was created on the same server.

What are my options?

Thanks!

4
ssliisopensslcertificate
I don’t believe the CSR was created there. The private key must be created and saved during the initial certificate requesting process, so go back and see what you did then, and dig the private key out. Otherwise, you would have to run the whole process once again.Lex Li
I am sure the CSR was created there because that's the only server in the system for that client. Okay, if the CSR was not created there then how come the console's Certificate Enrollment Request section has that certificate/request with a Private Key icon? Or maybe I am not understanding you correctly? Thanks.IrfanClemson
what were the exact steps you did to create the certificate request? If you don’t reveal those as part of your question, everyone else can only assume that the private key is lost.Lex Li
godaddy.com/help/… or something very similar on Godaddy--mine is IIS 10.IrfanClemson
the private key never leave the original machine. Remember the simple fact and continue troubleshooting.Lex Li

4 Answers

2
votes

I fixed this issue by following the steps here:

https://www.namecheap.com/support/knowledgebase/article.aspx/9773/2238/ssl-disappears-from-the-certificate-list-on-windows-server/

Specifically, these steps:

Open Microsoft Management Console (MMC) as an Administrator. To open MMC, press Win+R combination, type in mmc and click OK.

  • Select Add/Remove Snap-in and choose Certificates and click Add.

  • Choose Computer account in the Certificates snap-in window, click Next.

  • Tick Local computer in the Select computer box, then click Finish.

  • Locate the certificate that was imported when completing the certificate request. The certificate should be in the Personal store. Note that the icon of the certificate next to the domain name does not have a key on it; that means that no private key is assigned to the certificate.

  • Double-click the certificate and go to Details tab. In certificate details locate the Serial Number field, click on it and copy its value.

enter image description here

  • In a command prompt type: certutil -repairstore my Serial_number from the step above. Make sure the serial number of your certificate does not contain any spaces. It should be a single string of symbols.

  • You can now refresh the list of server certificates in IIS Manager to see the certificate. You may need to close and reopen IIS.

1
votes

Nothing worked until I followed GoDaddy's instructions per https://www.godaddy.com/help/rekey-my-certificate-4976 and installed the Re-Keyed Certificate. I don't know what had happened to have caused the failure. I had followed the exact steps earlier but what the client provided did not work first time. My guess is that the CSR file was generated when the server machine was in some pending major Windows Update and after the Update the Private Key stored in the OS was somehow lost/inaccessible.

Oh well, moving on.

0
votes

There is one more use case under which IIS server certificates gets disappear when we create the Custom CSR from MMC -> Advanced Operations -> Create Custom Request and choose the Enhanced Key Usage purpose as "Client Authentication" instead "Server Authentication" and since we are uploading the certificate to IIS under Server Certificates so it should be for "Server Authentication" to show up or not disappear on IIS -> Server Certificates

Fix -

  1. Delete the certificate from MMC and make sure it is removed after refreshing
  2. Generate the CSR using MMC Custom Request option and Choose "Server Authentication" in case of the purpose for key usage while generating the CSR using the Custom Request Option from MMC
  3. Generate the Cert and signed by CA for the CSR generated in Step-2
  4. Complete the Certificate Request from IIS and certificate should be available perfectly fine in MMC as well in IIS -> Server Certificate

This should work fine !

0
votes

At last Fixed!!

Step 1 - Go to your servers IIS

Step 2 - Select your server and choose SSL Certificate from middle panel

Step 3 - From the action panel on the right choose "Create Certificate Request"

Step 4 - Fill in the necessary details (common name = domain name, rest not so important)

Step 5 - after completing the wizard you will be provided with a .CSR file open the file in notepad and CTRL-A CTRL-C.

Step 6 - Go to the product page of your godaddy account from there go to SSL and click manage.

Step 7(optional) - To check if everything's fine with your CSR file, In manage SSL page click "SSL Tools" and from there choose CSR Decoder, you'll be taken to a page where you can paste the CSR and if results are shown you are good move to step 8.

Step 8 - Go back to Step 6, choose your SSL linked to the DOMAIN.

Step 9 - From the SSL Dashboard once you scroll down a bit you'll see the REKEY option, click on it.

Step 10 - Paste the CSR texts in the space provided

Step 11 - Click "Add Change"

Step 12 - Scroll down, click "Submit All Changes"

Step 13 - After the SSL is reissued(5-10 MINS), download the zip files for IIS server.

Step 14 - That's it , you should be able to add the new .CES file into the IIS without it disappearing.

Let me know if this worked for everyone.