To install a Web server certificate that lacks a pending certificate request:
1. Click Start > point to Run > type cmd > click OK.
2. Navigate to the directory where Certutil.exe is stored; by default, this is %windir%\system32.
3. Type the following command at the command prompt: certutil -addstore my certnew.cer
where certnew.cer is the name of the certificate you received from the certification authority (CA).
You should see the following message:
CertUtil: -addstore command completed successfully.
4. Navigate to the directory where you stored the certificate you received from the CA. Double click the saved certificate.
5. Click the Details tab and select <All> in the Show drop-down list.
6. In the Field list, select Thumbprint to display its value in the view pane.
7. Select the Thumbprint value in the view pane and then click CTRL+C.
8. Return to the command prompt window and type the following command: certutil -repairstore my "thumbprint"
where thumbprint is the value of the Thumbprint field. Be sure to type the double quotes as part of the command.
If the command is successful, the following message is displayed: "Encryption test passed CertUtil: = repairstore command completed successfully."
Install the server certificate on your Web server.
IMPORTANT:
If the certutil command does not complete successfully, the following error message is displayed:
"Certutil: -repairstore command FAILED: 0x80090011 (-2146893807) Certutil: Object was not found."
This message indicates that the private key for the certificate does not exist in the certificate store. You cannot install the certificate you obtained from the CA. Instead, you must generate a new certificate request, obtain the new certificate, and install that new certificate on your Web server.
IIS stores the private key for a certificate as the pending request. Deleting the pending request deletes the association of the private key with IIS, but the private key still exists in the certificate store.
To install the certificate without having the pending request available, you can use version 5.2.3718.0 of the Certutil.exe command-line tool that is available through the Certificate Services MMC snap-in in Windows Server 2003.
1. Click Start > point to Run > type cmd > click OK.
2. Navigate to the directory where Certutil.exe is stored; by default, this is %windir%\system32.
3. Type the following command at the command prompt: certutil -addstore my certnew.cer
where certnew.cer is the name of the certificate you received from the certification authority (CA).
You should see the following message:
CertUtil: -addstore command completed successfully.
4. Navigate to the directory where you stored the certificate you received from the CA. Double click the saved certificate.
5. Click the Details tab and select <All> in the Show drop-down list.
6. In the Field list, select Thumbprint to display its value in the view pane.
7. Select the Thumbprint value in the view pane and then click CTRL+C.
8. Return to the command prompt window and type the following command: certutil -repairstore my "thumbprint"
where thumbprint is the value of the Thumbprint field. Be sure to type the double quotes as part of the command.
If the command is successful, the following message is displayed: "Encryption test passed CertUtil: = repairstore command completed successfully."
Install the server certificate on your Web server.
IMPORTANT:
If the certutil command does not complete successfully, the following error message is displayed:
"Certutil: -repairstore command FAILED: 0x80090011 (-2146893807) Certutil: Object was not found."
This message indicates that the private key for the certificate does not exist in the certificate store. You cannot install the certificate you obtained from the CA. Instead, you must generate a new certificate request, obtain the new certificate, and install that new certificate on your Web server.
IIS stores the private key for a certificate as the pending request. Deleting the pending request deletes the association of the private key with IIS, but the private key still exists in the certificate store.
To install the certificate without having the pending request available, you can use version 5.2.3718.0 of the Certutil.exe command-line tool that is available through the Certificate Services MMC snap-in in Windows Server 2003.