Orchestrator Error " SSL Certificate Does Not Have The Private Key"

Error fix for SSL certificate error "certificate does not have private key" .

The private key resides on the server that generated the Certificate Signing Request (CSR). When installed correctly, the Server Certificate will match up with the private key as displayed below:


If the private key is missing, the circled message indicating a good correspondence with private key will be missing as shown here:


A missing private key could mean,

  • The certificate is not being installed on the same server that generated the CSR.
  • The pending request was deleted from IIS.
  • The certificate was installed through the Certificate Import Wizard rather than through IIS.
There are three parts to this solution:
  1. Snap-In Configuration
  2. Import the Server Certificate
  3. Recover the private key
  1. Snap-In Configuration : Use the following steps to add the Certificates snap-in,
  1. Click Start, and then search for Run.
  2. Type in mmc and click OK.
  3. From the File menu, choose Add/Remove Snap-in.
  4. Select Certificates and then Add.
User-added image
  1. Choose the Computer account option and click Next.
  2. Select Local Computer and then click Finish.
  3. Click Close, and then click OK. The snap-in for Certificates (Local Computer) appears in the console.
User-added image

  1. Import the Server Certificate
Use the following steps to import Server Certificate into the Personal certificate store. If the Server Certificate has already been imported into the Personal store, skip this step.

From the MMC console opened in the above steps:
  1. Expand the Certificates (Local Computer) tree in the left preview panel
  2. Right-click Personal and select All Tasks > ImportUser-added image
  3. The Certificate Import Wizard appears. Click Next
  4. Browse to the location of your Server Certificate file and click Next
User-added image
  1. Select Place all certificates in the following store and click Next
  2. Click Finish to complete the Certificate Import Wizard
User-added image
  1. A dialog box appears indicating the import was successful. Click OK.
  1. Recover the Private Key: Use the following steps to recover the private key using the certutil command,
  1. Locate your Server Certificate file by opening Microsoft Internet Information Services Manager, then on the right side select Tools > Internet Information Services (IIS) Manager.User-added image
  2. Once in IIS Manager, select server, then on the right side, Server Certificates. All certificates currently on that server will be visible now. Scroll over the certificate to install, right click, then select View.
User-added image
  1. There, view the certificate information. As seen, there is no indication of a good correspondence with the private key.
  2. Click the Details tab. Write down the serial number of the certificate.
User-added image
  1. Recover the private key using a command prompt. In order to recover the key, we must do so using command prompt as an administrator. To do so, slick Start, then on then open all App. Under Windows System, find Command Prompt. Right click Command prompt and then Run as administrator. Confirm the action and continue.
  2. Make sure to be on the right directory in command prompt.
e.g., if the server directory is “c:/users/srv2012_r2_std_x64”, on the command line type “cd c:/users/srv2012_r2_std_x64”. Note that “cd” is the command used to change directories in command prompt.
  1. Now in the right place, enter the following command at the prompt: certutil –repairstore my where is the serial number obtained in Step 2 with spaces removed.
User-added image
  1. If Windows is able to recover the private key, the message visible is ,
  • CertUtil: -repairstore command completed successfully.
User-added image
  1. If the private key was recovered successfully, the Server Certificate installation is complete.