Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Last Modified: 2016-09-07 15:42:07.0

What are the steps to recover the private key of an SSL certificate in an IIS environment?

Article Number: 46293


The SSL certificate is installed but the private key is missing. What are the steps to recover the private key of an SSL certificate in a Microsoft Internet Information Services (IIS) environment?


Entrust SSL certificates do not include a private key. The private key resides on the server that generated the Certificate Signing Request (CSR). When installed correctly, the Server Certificate will match up with the private key as displayed below.





If the private key is missing, this could mean:

  • The certificate is not being installed on the same server that generated the CSR.
  • The pending request was deleted from IIS.
  • The certificate was installed through the Certificate Import Wizard rather than through IIS.



To recover the private key, follow the procedures below.


Part 1 - Snap-In Configuration

Use the following steps to add the Certificates snap-in:

  1. Click Start, and then click Run.
  2. Type in mmc and click OK.
  3. From the File menu, choose Add/Remove Snap-in.
  4. In the new window that appears, click Add.
  5. Select Certificates and then click Add.


  1. Choose the Computer account option and click Next.


  1. Select Local Computer and then click Finish.


  1. Click Close, and then click OK. The snap-in for Certificates (Local Computer) appears in the console.


Part 2 - Import the Server Certificate

Use the following steps to import your Server Certificate into the Personal certificate store. (If the Server Certificate has already been imported into the Personal store, you may skip this step.)

From the MMC console opened in the above steps:

  1. Expand the Certificates (Local Computer) tree in the left preview panel.


  1. Right-click Personal and select All Tasks > Import.


  1. The Certificate Import Wizard appears. Click Next.
  2. Browse to the location of your Server Certificate file and click Next.




  1. Select Place all certificates in the following store and click Next.




  1. Click Finish to complete the Certificate Import Wizard.




  1. A dialog box appears indicating the import was successful. Click OK.




Part 3 - Recover the Private Key

Use the following steps to recover your private key using the certutil command.

  1. Locate your Server Certificate file (for example, server.cer) and double-click it. The Certificate dialog box appears.



  1. Click the Details tab. Write down the 8-character serial number of the certificate.


  1. Click Start > Run.
  2. Type cmd and click OK. A Command Prompt window opens.
  3. Enter the following command at the prompt: 

certutil –repairstore my <serial number>

Where <serial number> is the 8-character serial number obtained in Step 2 (spaces removed).


6.      If Windows is able to recover the private key, you see the following message:

CertUtil:  -repairstore command completed successfully.

7.     If your private key was recovered successfully, your Server Certificate installation is complete. If the private key was not recovered successfully, you will need to generate a new Certificate Signing Request and submit it to Entrust to have your certificate re-issued.


Affected Products:

  • Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable