Fix the IIS 7 "No Private Key" Error Message

This article will show you how to correct the “No Private Key” error message in Windows Internet Information Server (IIS).

If you receive this error, it indicates that a previous attempt to import the certificate in IIS failed to include the private key.

To correct this, you will:

  1. Import the certificate into the personal store using Microsoft Management Console (MMC)
  2. Capture the serial number for the certificate in question
  3. Run the certutil program to repair the store
  4. Export the corrected certificate
  5. And finally re-import the certificate via IIS.


Importing the Certificate with MMC

1. Open MMC on your computer (you can locate this program by typing “mmc” in your Windows search bar).

IIS7_No_Private_Key_Error_fix_01

2. Select “File > Add/Remove Snap-in” (or type Control-M). Select “Certificates” and click the Add button.

IIS7_No_Private_Key_Error_fix_02

3. Select “Computer account” and click Next

IIS7_No_Private_Key_Error_fix_03_1

…then direct the snap-in to manage the “Local computer” and click Finish.

IIS7_No_Private_Key_Error_fix_03_2

4. Click OK to add the snap-in.

5. Next, navigate to the “Certificates (Local Computer) > Personal > Certificates” folder.

IIS7_No_Private_Key_Error_fix_05_1

6. Right-click the folder and select “All tasks > Import” from the menu to open the Certificate Import Wizard.

IIS7_No_Private_Key_Error_fix_06_1

7. In the Import Wizard, make sure “Local Machine” is selected and hit Next.

IIS7_No_Private_Key_Error_fix_07_1

8. Locate and designate the target certificate (it should be in the .p7b format), then press Next.

IIS7_No_Private_Key_Error_fix_08_21

9. Set the wizard to place the imported certificates in the “Personal” store. Hit Next to proceed.

IIS7_No_Private_Key_Error_fix_09

10. Check the settings, then click Finish to import the certificate.

IIS7_No_Private_Key_Error_fix_10_11_12.

 


Capture the Serial Number

11. Double-click to open the certificate, then select the “Details” tab to find and capture the serial number.

IIS7_No_Private_Key_Error_fix_11_1


Run the certutil Program

12. In order to perform the next step, you will need to open a command line session with administrator privileges. The most straightforward way to do this is to perform a search for “cmd”, then right-click the cmd icon and select “Run as administrator”. (Choose “Yes” if asked if you wish to allow this program to make changes on the computer.)

IIS7_No_Private_Key_Error_fix_12

13. At the command line, enter the following command, using your captured serial number:
certutil -repairstore my "PLACE_SERIAL_NUMBER_HERE"
Make certain and place the serial number between the quote marks as shown.  **It is best to actually type the serial number as the paste function can sometimes lose a character in the cmd window.

 

IIS7_No_Private_Key_Error_fix_13

14. If successful, this command will return some information about the certificate and a confirmation message.

IIS7_No_Private_Key_Error_fix_14

15. Close the command session and refresh MMC.

IIS7_No_Private_Key_Error_fix_15


Export the Corrected Certificate

16. Right-click the certificate and select “All tasks > Export” to open the Certificate Export Wizard.

IIS7_No_Private_Key_Error_fix_16

17. After clicking through the Wizard’s welcome page, make sure that the option is set to “Yes, export the private key” and click Next.

IIS7_No_Private_Key_Error_fix_17_1

18. Choose the format for the exported certificate (here, a PKCS # 12 -encoded, or .PFX file). Make sure to check the boxes to include all certificates in the path and to export all extended properties, then click Next.

IIS7_No_Private_Key_Error_fix_18_1

 

19. You will be prompted for a password to protect this certificate bundle (a good idea, since it incorporates your private key). Create and confirm your password, then click Next.

IIS7_No_Private_Key_Error_fix_19_1

20.  Select the name and location of the file you are exporting. You may browse to a location you prefer – make sure to save the file with the .pfx extension.

Note: Including the date is a good way to differentiate this certificate file from other ones.

IIS7_No_Private_Key_Error_fix_20_1

21. Review the information. If this all looks correct, click Finish.

IIS7_No_Private_Key_Error_fix_21_1

You will receive confirmation that the export was successful.

IIS7_No_Private_Key_Error_fix_22


Re-importing the Certificate with IIS

You will now have a file you can re-import via IIS without throwing the “No Private Key” error. SSL.com has general instructions on how to do this in a separate article here. For our purposes, just remember to choose “Import” instead of “Complete Certificate Request” when processing this certificate and to enter the password when prompted.

IIS7_No_Private_Key_Error_fix_iis_1
Remember also to set the Type to “https” and the Port to “443” (unless otherwise instructed by your network administrator) when binding the certificate to the site.

IIS7_No_Private_Key_Error_fix_iis_2


As always, contact us at SSL.com if you have any questions.