Thursday, March 17, 2011

Renew SSL certificate exchange 2007

Solution 1:

Verisign has a support article that matches this error message: Their recommendation seems to be to replace the certificate with a new one. This method has worked for at least one of my customers in this place with a GoDaddy certificate. All they had to do was make a new certificate request (CSR text file), log into the the Godaddy web interface and re-key (we chose re-key rather than re-issue) their certificate. The new file processed fine.

Solution 2:

Begin by importing the .crt file into the Personal certificate store for the local computer. (Start button > Run: MMC > File Menu > Add/Remove Snap-in > highlight Certificates snap-in and click the ADD button > select Computer Account and click Finish > Click OK > drill into Personal > Certificates > right-click and select All Tasks > select Import > guide to the .crt file.) At this point your certificate is basically a half-certificate. It is still missing its private key.

Second, double-click the crt certificate file you just imported, select the Details tab, scroll all the way down to Thumbprint and highlight Thumbprint. In the lower pane, block and copy all the letters of the thumbprint. Paste the thumbprint characters into notepad. Open the command prompt and run this command: Certutil /?
The command you’ll want to run is:

certutil -repairstore my "{insert all of the thumbprint characters here}"

When you see the response: “CertUtil: -repairstore command completed successfully” you should have a private key associated with the .crt file in the personal store. There should no longer be any need to run through the “Complete Certificate Request…” wizard. The certificate should show up in the IIS Manager’s list of server certificates at this point. It should also be available in the SSL Certificates drop-down list when attempting to edit the https binding for a website.

Incidentally, a common way of attempting to deal with this error is to take the .p7b file from the Certification Authority and import the CA's certificates into the Trusted and Intermediate stores. As far as I can tell, this approach has no useful effect upon this problem.

Also, even though the Name for the cert is blank in IIS, this can be remedied through the MMC.

start -> run -> mmc -> File -> Add/Remove Snap-in -> select Certificates etc.

Then go to Certificates -> Personal -> Certificates -> select the desired cert, right click, properties -> set a friendly name. Easy.

No comments:

Post a Comment