Windows server 2019 randomly removes private key associated with working fpx

pavel krastev 6 Reputation points
2022-03-24T18:30:06.903+00:00

Greetings,
we are struggling with an issue related to windows server 2019:
We import pfx certificate using GUI, certutil or powershell Import-PfxCertificate powershell commands in local machine\personal store and all in a sudden without any reason the private key associated to the certificate disappears.
Details about the pfx certificate: it is correctly exported from another working server with the private key and password.

Details about the server: CIS windows server 2019 it is supposed to work as IIS server and be part of domain, but we cannot reach to the point that certificate is not problematic.

What we tried so far:
Deleting and importing back the certificate – result is the same after some time.
Repairing the certificate store LocalMachine\Personal – after reboot the personal certificate disappears again.
We tried all steps outside of domain network and in domain network as well.

There is nothing in event viewer logs that could leads us to the problem maker.

Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,926 Reputation points
    2022-03-28T12:30:04.963+00:00

    Hello @pavel krastev

    Users may occasionally encounter an issue when an imported certificate disappears from the list of server certificates. Most often, this happens right after completing certificate request in Internet Information Services (IIS) Manager or Exchange Management Console and refreshing the list of certificates.

    The lists of server certificates in IIS and EMC contain only certificates that are assigned to the corresponding private key and generated along with the certificate signing request (CSR) used for activating a particular certificate. When the link between certificate and private key is broken for some reason, the certificate disappears.

    To troubleshoot this issue go to Details tab in the certificate properties once imported and, In certificate details locate the Serial Number field, click on it and copy its value. Then, from an elevated console run: certutil -repairstore my certificate_serial_number

    If you receive the error: “CertUtil: -repairstore command FAILED: 0x80090010” error, this means that the certificate request was generated on another server, and the private key is absent on this one

    You can additionally assign a new private key to the certificate using the next guide: https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/development/assign-certificate-private-key

    Hope this helps with your query,

    --------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.