Purpose: Recovering a missing private key in IIS environment.
For Microsoft II8
(Jump to the solution)
Cause:
Entrust SSL certificates do not include a private key. The private key resides on the server that generated the Certificate Signing Request (CSR). When installed correctly, the Server Certificate will match up with the private key as displayed below:
If the private key is missing, the circled message indicating a good correspondence with private key will be missing as shown here:
A missing private key could mean:
I have purchased the SSL certificate from GoDaddy and i need to install this SSL certificate on siteground server because my site is hosted on siteground. But i am facing the issue with private key because when i try to set up the SSL certificate on Siteground it ask for private key and in am not. What is a private key? All SSL Certificates require a private key to work. The private key is a separate file that’s used in the encryption/decryption of data sent between your server and the connecting clients. A private key is created by you—the certificate owner—when you request your certificate with a Certificate Signing Request (CSR). Still can't find your private key? Try searching for a '.key' file, or following the installation steps for your server type. The installation steps should include where your private key is located. If your private key is nowhere to be found, or your site isn't serving HTTPS connections, you will need to rekey your certificate, and save your. Jun 09, 2019 This article describes how to recover a private key after you use the Certificates Microsoft Management Console (MMC) snap-in to delete the original certificate in Internet Information Services (IIS). You delete the original certificate from the personal folder in the local computer's certificate store.
- The certificate is not being installed on the same server that generated the CSR.
- The pending request was deleted from IIS.
- The certificate was installed through the Certificate Import Wizard rather than through IIS.
In this technote we do not discuss how to determine the reason the private key is missing. Select the link corresponding to each reason listed above for more information.
There's a video for this guide. Watch the video here.
There's a video for this guide. Watch the video here.
There are three parts to this solution:
1) Snap-In Configuration
2) Import the Server Certificate
3) Recover the private key
1) Snap-In Configuration
2) Import the Server Certificate
3) Recover the private key
Use the following steps to add the Certificates snap-in:
1. Click Start, and then search for Run.2. Type in mmc and click OK.
3. From the File menu, choose Add/Remove Snap-in.
4. Select Certificates and then Add.
5. Choose the Computer account option and click Next.
6. Select Local Computer and then click Finish.
7. Click Close, and then click OK. The snap-in for Certificates (Local Computer) appears in the console.
Use the following steps to import your Server Certificate into the Personal certificate store. If the Server Certificate has already been imported into the Personal store, you may skip this step.
From the MMC console opened in the above steps:
1. Expand the Certificates (Local Computer) tree in the left preview panel.
2. Right-click Personal and select All Tasks > Import.
3. The Certificate Import Wizard appears. Click Next.
4. Browse to the location of your Server Certificate file and click Next.
5. Select Place all certificates in the following store and click Next.
6. Click Finish to complete the Certificate Import Wizard.
7. A dialog box appears indicating the import was successful. Click OK.Use the following steps to recover your private key using the certutil command.
1. Locate your Server Certificate file by opening Microsoft Internet Information Services Manager, then on the right side select Tools > Internet Information Services (IIS) Manager.
2. Once in IIS Manager, select your server, then on the right side, Server Certificates. You will see all certificates currently on that server. Scroll over the certificate you are trying to install, right click, then select View.
3. There, you can view the certificate information. As you can see, there is no indication of a good correspondence with the private key.
4. Click the Details tab. Write down the serial number of the certificate.
5. We will need to recover the private key using a command prompt. In order to recover the key, we must do so using command prompt as an administrator. To do so, slick Start, then on then open all App. Under Windows System, find Command Prompt. Right click Command prompt and then Run as administrator. Confirm the action and continue.
6. Make sure you are on the right directory in command prompt.
e.g., if your server directory is “c:/users/srv2012_r2_std_x64”, on the command line type “cd c:/users/srv2012_r2_std_x64”. Note that “cd” is the command used to change directories in command prompt.
7. Now that we are in the right place, enter the following command at the prompt: certutil –repairstore my <serial number> where <serial number> is the serial number obtained in Step 2 with spaces removed.
8. If Windows is able to recover the private key, you see the message:
CertUtil: -repairstore command completed successfully.
If your private key was recovered successfully, your Server Certificate installation is complete.
If the private key was not recovered successfully, you will need to generate a new Certificate Signing Request and submit it to Entrust Datacard to have your certificate re-issued, or re-issue the certificate using your ECS Enterprise account.
Check that your Certificate has been successfully installed by testing it on the Entrust SSL Install Checker.
If you have any questions or concerns please contact the Entrust Certificate Services Supportdepartment for further assistance:
Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)
Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra '1' before the '800' or your call will not be accepted as an UITF toll free call.
Country | Number |
Australia | 0011 - 800-3687-7863 1-800-767-513 |
Austria | 00 - 800-3687-7863 |
Belgium | 00 - 800-3687-7863 |
Denmark | 00 - 800-3687-7863 |
Finland | 990 - 800-3687-7863 (Telecom Finland) 00 - 800-3687-7863 (Finnet) |
France | 00 - 800-3687-7863 |
Germany | 00 - 800-3687-7863 |
Hong Kong | 001 - 800-3687-7863 (Voice) 002 - 800-3687-7863 (Fax) |
Ireland | 00 - 800-3687-7863 |
Israel | 014 - 800-3687-7863 |
Italy | 00 - 800-3687-7863 |
Japan | 001 - 800-3687-7863 (KDD) 004 - 800-3687-7863 (ITJ) 0061 - 800-3687-7863 (IDC) |
Korea | 001 - 800-3687-7863 (Korea Telecom) 002 - 800-3687-7863 (Dacom) |
Malaysia | Win 7 home premium keys generator v 1.6.rar. 00 - 800-3687-7863 |
Netherlands | 00 - 800-3687-7863 |
New Zealand | 00 - 800-3687-7863 0800-4413101 |
Norway | 00 - 800-3687-7863 |
Singapore | 001 - 800-3687-7863 |
Spain | 00 - 800-3687-7863 |
Sweden | 00 - 800-3687-7863 (Telia) 00 - 800-3687-7863 (Tele2) |
Switzerland | 00 - 800-3687-7863 |
Taiwan | 00 - 800-3687-7863 |
United Kingdom | 00 - 800-3687-7863 0800 121 6078 +44 (0) 118 953 3088 |
Table of Contents
- Overview
- Contact Information
- Private Key Options
- Certificate information
- Shared Secrets
- Create
Table of Contents
- Overview
- Contact Information
- Private Key Options
- Certificate information
- Shared Secrets
- Create
Generate an SSL Certificate and Signing Request
Valid for versions 82 through the latest version
Last modified: October 7, 2019
Overview
This feature allows you to simultaneously generate both a self-signed SSL certificate and a certificate signing request (CSR) for a domain. You can also use this interface to generate private keys, which are essential for self-signed certificates and purchased certificates. To purchase a certificate, submit the CSR to your chosen certificate authority (CA). They will provide you with a certificate, typically in a
.zip
file via email.For more information, read our Purchase and Install an SSL Certificate documentation.
Contact Information
To receive the SSL certificate, private key, and CSR in an email, enter an email address in the Email Address text box.
Select the When complete, email me the certificate, key, and CSR. checkbox to receive a copy of the request that this interface generates.
Do not select this checkbox if your email service provider does not support secure mail via SSL/TLS.
Private Key Options
Select the desired key size from the Key Size menu. We recommend that you choose 2,048 bits.
Certificate information
To generate an SSL certificate and CSR, perform the following steps:
Generate Private Key For Ssl Certificate
- In the Domains text box, enter the domain name of the website that the certificate will secure.
- You can enter a wildcard-formatted domain name to install the same certificate on any number of subdomains if they share an IP address. For example, you can use a wildcard certificate for
*.example.com
to securely connect to themail.example.com
andwww.example.com
domains. - You can also enter multiple domains, with one domain per line.
- For more information about how to share SSL certificates, read our Manage SSL Hosts documentation.
- You can enter a wildcard-formatted domain name to install the same certificate on any number of subdomains if they share an IP address. For example, you can use a wildcard certificate for
- In the City text box, enter the complete name of the city in which your servers are located.
- In the State text box, enter the complete name of the state in which your servers are located.
- In the Country text box, select the country of origin for the certificate.
- In the Company Name text box, enter your business’s complete name.Some certificate authorities may not accept special characters in the Company Name and Company Division text boxes. If your company name includes symbols other than a period or a comma, ask your CA to confirm whether you can use these characters.
- In the Company Division section, enter the name of the department or group within the company. This information is optional.
- In the Email text box, enter a secure contact email address that your CA can use to verify domain ownership.
Shared Secrets
Enter a passphrase in the Passphrase text box if your certificate authority requires one for verification purposes.
Generate Ssl Certificate From Private Key
Create
After you enter the correct information, click Create. WHM will display the CSR with its SSL certificate and private key.
- Copy and paste these items into the correct directories.
- If you provided an email address, the system also sends the information to that email address.
- You can view the keys, certificates, and CSRs that you create in WHM’s SSL Storage Manager interface (WHM >> Home >> SSL/TLS >> SSL Storage Manager).
- CSR —
/var/cpanel/ssl/system/csrs
- SSL certificates —
/var/cpanel/ssl/system/certs
- Private keys —
/var/cpanel/ssl/system/keys
If you purchased an SSL certificate, provide the CSR to the company from which you purchased the SSL certificate.
If you used a self-signed certificate, navigate to the Install an SSL Certificate on a Domain interface (WHM >> Home >> SSL/TLS >> Install an SSL Certificate on a Domain) to install the certificate.