Missing Private Keys pair after deleting pending request from IIS

Let say you have generated New Certificate request(certreq.txt) from IIS manager and would like process that pending request later when you get back certificate file from the third party vendor Certificate Authority.

Getting back certificate

You were expecting .PFX file which has associated key pair from vendor and actually got back .CER(Base64 encoded) file which does not include a key pair.

Unfortunately if you have deleted pending request (or if it's not there)*1 from IIS and then try to install .cer it won't work as this certificate would not have private keys associated with it and we would end with 'Page Cannot Be Displayed' error on browser.

IIS stores the private key for a certificate as the pending request. Deleting the pending request deletes the association of the private key with IIS, but the private key still exists in the local certificate store on the IIS server.

Now question comes into your mind "How to make this .cer working using private key info stored in the local certificate store ?"

Answer :

  • certutil -addstore my c:\certnew.cer (this would add the certificate into following path)

On the IIS or Certificate Server, open MMC (Start->Run and type MMC) and add the Certificates snap-in using the Computer Account.
-- Expand Certificates(Local Computer) -> Personal -> Certificates


Double click newly install certificate -> go into Detail tab, locate Thumbprint , press ctrl + c to copy

  • certutil -repairstore my "18 8a 7e 44 0f 43 59 a9 f9 a3 64 3b 84 f8 14 d1 b7 5f a2 60"

If certificate is not added into my store you would end up with following error :
Certutil: -repairstore command FAILED: 0x80090011 (-2146893807) Certutil: Object was not found."

*1 Same stand valid incase the request has been generated using Exchange 2007 Tool

When you create the certificate request, the New-ExchangeCertificate cmdlet creates the private key pair and stuffs them in the Certificate Request store on the computer where you run the cmdlet. Therefore, you must run the Import-ExchangeCertificate cmdlet on the same computer to bind the private keys to the certificate.


till then Wave

Skip to main content