We are in the process of renewing a certificate, we download the new certificate from GoDaddy or another certificate authority, we import it into our Windows certificate store and realize that the new Windows certificate is missing its private key as the message You have a private key that corresponds to this certificate does not show. In this post we demonstrate how to repair a Windows certificate store using CertUtil command certutil -repairstore my "CertificateThumbprint" when a Windows certificate is missing its private key.
When importing a certificate in Windows, unless the file used for import contains the public/private key pair (i.e. pfx), the imported cert will not have its private key properly associated with it. In such cases, if the private key is already present in the Windows certificate store (from a previous cert installation), we can use CertUtil to recover it, re-associating it with the imported certificate without having to reinstall the certificate from a public/private key file (i.e. pfx).
How do we know if a certificate is associated with a private key?
In Windows, a certificate associated with an appropriate private key will show the message You have a private key that corresponds to this certificate.
A certificate NOT associated with an appropriate private key will not show the message You have a private key that corresponds to this certificate:
A certificate without a private key may not be used in applications such as IIS, etc…
We can run the following command in Windows Command Prompt or PowerShell in order to fix a certificate that does not have a private key associated with it.
certutil -repairstore my "CertificateThumbprint"CertificateThumbprint refers to the Certificate’s Thumbprint which can be found in the Details tab.
Please note that if we copy/paste the thumbprint directly into the command it may add a special character. This special character must be removed on the PowerShell prompt before CertUtil can locate the correct certificate or the console will return error CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND) and CertUtil: Object was not found.
Once we refresh the certificate console and re-open the certificate, we see that the message You have a private key that corresponds to this certificate is now present.
Please comment below with any suggestions, gotchas or if this had helped you in any way!