Reassign the private key after deleting a certificate from the snap-in

In case we delete, by mistake, a certificate using the Certificate snap-in, we can still restore it. In order to do this, we need to import the certificate again and reassign the stored private key to it, without having to create a new request.

The following article was published for IIS, but it also applies to Lync/SfB Server and to Exchange Server:

How to assign a private key to a new certificate after you use the Certificates snap-in to delete the original certificate in Internet Information Services
https://support.microsoft.com/kb/889651

The first step is to import the certificate again to the Computer Personal Store:

privatekey01

After importing the certificate, if it doesn’t have the private key assigned, we cannot use the certificate in any Lync/SfB Server service.

Now we need to take note of the certificate Serial Number. We can get it either in the certificate Details tab:

privatekey02

Note: This is a lab CA and that is why the serial number is just 02, because normally you will have something like ‎04 3b df f8 25 84 cd. This serial number is given by the CA and it is the Serial Number that will be included in the CRL if the certificate is revoked.

Or use the Certutil store switch:

certutil -store my

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)

privatekey03a

In a Command Prompt/PowerShell, we run the certutil with the repairstore switch:

certutil -repairstore my “Serial Number

 privatekey03

Alternatively, we can use the certificate index in the store. The index number is returned by the certutil -store my command:

privatekey03c

certutil -repairstore my 1

privatekey03b

If the private key is successfully assigned, we will see it in the Computer Personal Store after refreshing it:

privatekey04

Please note that sometimes the private key is lost and we will have to create a new request.

This method will also work if we change Certificate Common Name or add/remove FQDN to the SAN. In this case, we need to follow these steps:

  1. Request the changes in the Certificate Authority online website (note that if we re-key the certificate, we need to import the certificate as usual);
  2. Download the certificate;
  3. Import the certificate to the server;
  4. Take note of the certificate Serial Number;
  5. Run certutil -repairstore my “Serial number”