SSL Certificate Not Installed or Doesn't Have a Private Key

If you installed your SSL Certificate on your server, but the certificate doesn't have a private key associated with it, you can use the DigiCert® Certificate Utility for Windows to repair your certificate installation and make sure it's installed correctly for use in IIS, Exchange and other Windows server types.

This problem usually occurs when you install an SSL Certificate through the MMC Console to a Pending Request that was created elsewhere. You can use the DigiCert Utility to fix this problem, but only if the private key is on the server, and the server just doesn't have the private key and certificate associated together.

How to Pair Your SSL Certificate with Its Private Key

 

Check Status of Your SSL Certificate

  1. On the Windows server where your SSL Certificate is located, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe) to the same directory/folder as the certificate.

    Note:    For this instruction, it is necessary for the certificate and utility to be located in the same directory/folder or else some of the steps may not work.

  2. Run the DigiCert® Certificate Utility for Windows (double-click DigiCertUtil).

  3. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), check to see if there is a Caution Sign next to your certificate.

    DigiCert Utility

  4. If you see a Caution Sign, select your SSL Certificate and read the warning message describing the issue.

 

"The Certificate Needs to Be Installed" Message

Although your SSL Certificate was copied to your server, it wasn't installed. To fix this problem, simply install your certificate to try to pair it with its private key.

  1. In the DigiCert Certificate Utility for Windows©, select your SSL Certificate and click Install Certificate.

    DigiCert Utility

  2. After your certificate is installed, check the certificates status again.

  3. If the Caution Sign is gone, close the utility and then configure the server to use the certificate for your website, to secure email connections, etc.

    See Assign & Configure Server Software to Use the SSL Certificate. If you cannot find instructions for your platform on that page, see SSL Certificate Installation Instructions & Tutorials.

 

"This Certificate’s Chain Is Not Installed Correctly" Message

Please see DigiCert Certificate Utility: Repair Intermediate SSL Certificate Errors.

 

"This Certificate Needs to Be Attached to Its Private Key" Message

The certificate is installed on your server, but it's not paired with its private key. To try to fix this problem, use the utility to repair the certificate.

  1. In the DigiCert Certificate Utility for Windows©, select your SSL Certificate and click Repair Certificate.

    DigiCert Utility

  2. When you receive the "Would you like to scan your computer for this certificate's private key and attach to it" message, click Yes.

    DigiCert Utility

  3. If you receive the "This certificate has been successfully repaired." message, click OK and close the utility.

    Congratulations, you have matched your certificate with its private key. You have successfully installed your SSL Certificate.

    Note:    If you received "The private key for this certificate could not be found in the machine or current user key stores," error, continue to the next section.

    DigiCert Utility

 

"The private key for this certificate could not be found in the machine or current user key stores" Error Message

If you received this error message, the private key for your SSL Certificate is not on this server. Most likely, the CSR for your certificate was created on a different server.

DigiCert Utility

To fix this problem, do the following:

  1. Create a CSR

    On your server where you are trying to install the certificate, create a new CSR.

    See CSR Creation Instructions for Microsoft Servers. If you prefer not to use the DigiCert Certificate Utility, see Create a CSR (Certificate Signing Request).

  2. Reissue Your SSL Certificate

    After you create your new CSR, log into your DigiCert account and reissue the certificate.

    See Reissuing a DigiCert® SSL Certificate.

  3. Install Your Reissued Certificate

    Install the rekeyed/reissued certificate on your server where you created the CSR.

    See SSL Certificate Importing Instructions: DigiCert Certificate Utility. If you prefer not to use the DigiCert Utility, see SSL Certificate Installation Instructions & Tutorials.

  4. Assign and Configure Server to Use Reissued Certificate

    Then, reconfigure the server to use the certificate for your website, to secure email connections, etc.

    See Assign & Configure Server Software to Use the SSL Certificate. If you cannot find instructions for your platform on that page, see SSL Certificate Installation Instructions & Tutorials.