How to assign a private key to a new certificate after you use the Certificates snap-in to delete the original certificate in Internet Information Services


This article describes how to recover a private key after you use the Certificates Microsoft Management Console (MMC) snap-in to delete the original certificate in Internet Information Services (IIS). You delete the original certificate from the personal folder in the local computer's certificate store. This article assumes that you have the matching certificate file backed up as a PKCS#7 file, as a .cer file, or as a .crt file.

More Information

When you delete a certificate on a computer that is running any one of the following versions of Microsoft Internet Information Services (IIS), the corresponding private key is not deleted:
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services 5.1
  • Microsoft Internet Information Services 6.0
To assign the existing private key to a new certificate, you must use the Microsoft Windows Server 2003 version of Certutil.exe. To do this, follow these steps:
  1. Log on to the computer that issued the certificate request by using an account that has administrative permissions.
  2. Click Start, click Run, type mmc, and then click OK.
  3. On the File menu, click
    Add/Remove Snap-in.
  4. In the Add/Remove Snap-in dialog box, click Add.
  5. Click Certificates, and then click
  6. In the Certificates snap-in dialog box, click Computer account, and then click
  7. In the Select Computer dialog box, click
    Local computer: (the computer this console is running on), and then click Finish.
  8. Click Close, and then click
  9. In the Certificates snap-in, expand
    Certificates, right-click the Personalfolder, point to All Tasks, and then click
  10. On the Welcome to the Certificate Import Wizard page, click
  11. On the File to Import page, click
  12. In the Open dialog box, click the new certificate, click Open, and then click
  13. On the Certificate Store page, click
    Place all certificates in the following store, and then click
  14. In the Select Certificate Store dialog box, click Personal, click OK, click
    Next, and then click Finish.
  15. In the Certificates snap-in, double-click the imported certificate that is in the Personal folder.
  16. In the Certificate dialog box, click the
    Details tab.
  17. Click Serial Number in the Field column of the Details tab, highlight the serial number, and then write down the serial number.
  18. Click Start, click Run, type cmd, and then click OK.
  19. At the command prompt, type the following:
    certutil -repairstore my "SerialNumber"

    SerialNumberis the serial number that you wrote down in step 17.
  20. In the Certificates snap-in, right-click
    Certificates, and then click Refresh.

    The certificate now has an associated private key.
You can now use the IIS MMC to assign the recovered keyset (certificate) to the Web site that you want.


For additional information about backing up server certificates in IIS 5.0, click the following article number to view the article in the Microsoft Knowledge Base:
232136 How to back up a server certificate in Internet Information Services 5.0

For additional information about key archival and management in Windows Server 2003, visit the following Microsoft Web site: