It wouldn’t be entirely incorrect to suggest that Microsoft Certificate Infra or Public Key Infrastructure isn’t among the easier technology from Microsoft Stable. Well but as you learn it you will find it to be one of the most logical technology. Any which way todays article is not about understanding PKI its more about implementing the same in our daily technological needs.
Now days, In order to be encrypted or secured most of the application have a certificate installed in them and once a year that certificate needs to be renewed.
The renewal process is quite simple, if you have access to the previous host or basically want them to renew the existing certificate, simply request the Cert Authority like Verisign, Godaddy etc to renew the certificate, down load the fresh cert and install it on the server. Or You may want to re do the whole process where , we will once again generate a request from the client and submit it to Certificate Authority (Like Godaddy), they issue us a cert and we install it on the server.
Unfortunately the task do not end there, we have to assign this certificate to the application for which we installed it as well, like IIS or Exchange. One daunting issue which I have seen is that despite of the fact that we have installed the certificate on the server Computer Store ( A place where all the certificate installed on a computer is visible) and we can very well see it, you are either getting error like Certificate not found via CLI or if via GUI the cert may not even be visible.
Well the reason that you are not able to assign the certificate is that, the certificate which you just installed, is yet not complete. A certificate is a combination of a Public and Private key. And may be you are not able to see the difference but the application isn’t able to use it as it doesn’t see private key associated with your certificate. Let’s check the certificate computer snap in again, if you have more than one certificate here then you may notice how all certificates have a small Key like icon on top of them and how your certificate doesn’t have that icon. Refer to image below where you can see the missing Private Key.
Ok, so now where is the private key. Private key resides on the computer which first requested this certificate or rather the system which was used to generate the CSR (Certificate Signing Request) for this Cert. The private key didn’t leave that computer, the CA authority generated the certificate and sent it back to the server. It is the responsiblity of the server to ensure that the right private key get associated with the right certificate, however at times it fails to fulfil the same.
Now that we know the certificate is missing the private key, we need to re-associate it to restore the cert so that it can be assigned to required applications. The process of re-associating the key is simple but it only works on the server from where the CSR was generated at first.
lets say that you have an Exchange Server named Exch1 and you generated a CSR on it back in 2008 and subsequently you got a certificate issued by Godaddy with a validity of 2 years. Now the certificate is expired, you go ahead and renew it on Godaddy for another two years. You downloaded the certificate and installed it on Exch1 and you can see its missing the private key and hence unusable. Because you know that this is the same server which generated CSR at first, so its bound to have the private key on it. So what need is just execute following command with the certificate serial number and as we get the success message. Go back and refresh cert store and you should see the Private key icon there.
Steps to follow:
Double click to open the problem cert in Cert store
Check its details and make a note of Serial number
Execute the following command for that Serial number
certutil -repairstore my “SerialNumber”
Lets consider another scenario where you requested a certificate from Exch1 and installed in one the server back in 2008. Then you brought in another Exchange server (or any other server) Exch2 in your environment. As you needed cert on the Exch2 as well, so you went ahead and exported the cert from Exch1 along with its private key (Private Key Exportable= True*)and installed it on Exch2. Now after 2 years this cert is expired, you renewed it on Godaddy, so now its private key would be on Exch1, so to fix this certificate, it need to be installed on Exch1 and certutil -repairstore command need to be executed to restore its private key. Once the private key is restored, export the certificate again and import it on Exch2. For any reason if Exch1 or rather the computer which was used to generate CSR is no more there than its best to request the cert fresh rather than trying to renewing it as there is no way to get its private key back.
Private Key Exportable: It’s an attribute of each certificate and depending on whether its set to True or False you can export the certificate with its Private key. If this attribute is set to false then you cannot export the cert with its private key, so its pretty much unusable on any other server. Public registrar like Godaddy and Verisign usually set this to True.
PKI is a vast sea of knowledge and issue, this article is just a quick tip about an issue I see people facing every now and then. Hope this helped you, else you may reach out to us for more support options
Latest posts by Shishir Chandrawat (see all)
- Exchange 2010 Std: Mailbox server has reached the maximum database limit of 5 Error RcrExceedDbLimitException - December 12, 2016
- Exchange 2010: Unable to add Mailbox Database copies on DAG member servers, Error: An error occurred while processing a request on server - December 12, 2016
- Unable to Mount Microsoft Exchange DAG Database, Error: Failed to determine the mount status of the active database copy - December 12, 2016