Installing Security Certificate on Windows server 2012r2 / IIS

ROBERT LAPRADE
ROBERT LAPRADE used Ask the Experts™
on
I have a Certificate that I am trying to install on IIS Windows Server 2012 R2. The certificate file is a CRT.
I have tried a number of methods including:

  • Convert the CRT to CER on the server I want to install on.
  • Choosing "Complete certificate request" on the IIS / Server Certificates dialog.
  • Select the CER file, and  choose
  • Web Hosting
  • for the store.

This ultimately give me a "Failed to remove certificate" message.

If I choose "Personal" for the store, it will import, but then the certificate does not show in the list for binding to the web site.

I have Googled a lot of posts regarding this, but have not been able to resolve this issue.

I am hoping  to get some advice to be able to install this cert properly.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018

Commented:
May want to take a look at this and see if there is any difference in steps taken. And also this note
There is a known issue in IIS 8 giving the following error: Failed to remove the certificate If this is the same server that you generated the CSR on then, in most cases, the certificate is actually installed. Simply cancel the dialog and press "F5" to refresh the list of server certificates. If the new certificate is now in the list, then it did install to the server. If it is not in the list, you will need to reissue your certificate using a new CSR.
The one one .cer file should contains your domain SSL server certificate and any required intermediate CA certificates in PKCS#7 (P7B) format
https://www.geocerts.com/support/install-ssl-certificate-microsoft-iis-8
Distinguished Expert 2017

Commented:
I think the issue is you are trying to perform two steps in one.
First complete the certificate, main store. Then you go through the binding to select the new certificate.

Author

Commented:
Thanks for the response.
Let me provide an update.

1. The original Windows server 2012 R2 that the CA was imported to ( Requested from ) crashed.
2. It appears that the original team that installed the certificate did not either create a PFX export or never saved it into source control. There are other PFX files in source control for the older expired certs.
3. The import of the CRT files from the original issuer completes successfully, however, there is no private key associated with the imported certificate. My assumption at this point is that is due to the original CSR coming from a different server.

My question now is what are the steps to correct this problem:
1. Contact the issuer (Sectigo Certification Authority) to get an updated cert file? If so, what are the steps on IIS or MMC to accomplish this.
2. The cert file, when opened, does not show me the original CSR data for Common Name, Organization, Organizational Unit, City State Country.

Thanks for your help with this issue.
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Distinguished Expert 2017

Commented:
Well iti depends on whether the new certifciate used one of the older/expired keys

you could use one of the older PFX with openssl to convert it into a DER format

then use the new cert with the private key from the PFX converted private key in dER format
combine the two and use openssl to convert the pair into a PFX

in a case where a csr was generated and the server where that CSR is unavailable, you only option is to check with the vendor through whom you purchase the certificate whether you can use a new CSR for them to sign with the same duration of the current certificate.

i.e. the current certificateis valid through 8/2020
they will resign the new CSR setting its expiration as 8/2020 i.e. a reissue of a certificate you purchased.
In a similar way as if the certficate host was compromised, and you need to get a replacement certificate using a different key.

Whether it is a cost free transaction depends on the entity from whom you purchased the certificate.

Author

Commented:
Thanks for the quick response.
I opened an issue with the original vendor about options there.

I will look into the openSSL suggestion.
Distinguished Expert 2017

Commented:
the openssl option will only work if the same key was used to generate the new CSR.

The case, you can use another site even not running one on which to generate the new CSR. and submit it as part of your request.
They will not have a key, so they will need a CSR to sign if they will. or your process will just be extended in time.
btanExec Consultant
Distinguished Expert 2018

Commented:
If the pfx have expired, you may not used it in any case.  Nonetheless if there is chance to recover here is a link for your reference:

Automated certificate key recovery script recover all existing private keys from the CA and save them in a PFX file using standard key recovery processes and existing KRA certificates. However, without the KRA certificate it is not possible to recovery and decrypt the private key. A rebuild is inevitable and reissue of keys may  e necessary if recovery is not anywhere possible

http://christianlechner.blogspot.sg/2015/12/mass-processiong-of-certificate-key.html
Sr. Systems Administrator
Commented:
When you add the Certificates Snap-In, are you pointing it to the user account store or the computers store?

Author

Commented:
Thanks for all of the advice. After contacting the CA vendor preparing to re-issue the cert with the new server key, another resource from the past found the PFX for the original cert. We were able to install that on the new server to resolve the issue.

Author

Commented:
Thanks for all of the advice. After contacting the CA vendor preparing to re-issue the cert with the new server key, another resource from the past found the PFX for the original cert. We were able to install that on the new server to resolve the issue.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial