How do you restore the private key for a certificate? You may have generated a certificate request, and sent that request to either your internal Microsoft based Certification Authority (CA) or you sent the CSR to an external SSL certificate provider, and now you try and install the CRT (certificate response) and you get an error that the private key cannot be found.

Don’t worry, you can recover the private key without having to make a new request for the certificate to be re-issued.

Why do you need the SSL Private Key?

keyThe private key is required to perform the encryption and decryption of data that was encrypted by a public key. In short, you need the private key if you are running an TLS or SSL enabled website or service. Have a look here for a better summary of how public and private keys work.

How do you lose the private key?

There can be many ways that you lose the key – or Windows gets confused about the key

  • You have requested another certificate (such as one with the same name) from the same source machine
  • The private key was deleted
  • You imported the certificate request without sufficient access rights to read the private key
  • You used a different tool or wizard to import the certificate than the tool used to generate the certificate request
  • You generated the certificate request on a different server

Preparing your system

First, you need to import the CRT or CER file to the original Windows machine that generated the certificate request. This will mean that the private key is somewhere in the system.

READ ARTICLE:   Configuration of VM auto-start options for Service Machines

Open MMC and then add the snap-in for Certificates for the Local Computer. Go to Certificates, Personal, and you should see that the key you just imported is displayed, but has a different icon.

CertificateNoKey

You should notice immediately that the certificate is installed correctly, but the key is missing (both from the icon and the certificate).

Open (not properties…) the certificate that you want to repair, and go to the tab Details and click on Serial Number

CertificateSerial

Note down the serial number – you don’t need to record the spaces, just the digits. In this example, the digits are 611295C9000000000011.

Then, open a command prompt as administrator and enter the following command

      certutil -repairstore my 611295c90000000011

You should type in your serial number with no spaces, in the command prompt like this

CertificateRepair2

hand-and-keyThen you will see the response “repairstore command completed successfully” and now your certificate should be ready to go!

If not, you will need to generate a new certificate request.

Did this help you resolve your problem? Drop a message in the comments if it helped, so others can know that this works!

Share this knowledge