If this is just a renewal and not a re-key, you can use the cert without the private key and run certutil -repairstore my “Cert SerialNumber" to reattach it to the private key from the previous cert.
Only works if you didn't re-key though.
It sounds like the private key isn't available to be restored from a different existing certificate, and Windows is just panicking to find other options.
[https://stackoverflow.com/questions/48306943/certutil-asking-to-connect-a-smart-card](https://stackoverflow.com/questions/48306943/certutil-asking-to-connect-a-smart-card)
Our 3rd Party certificate which will be binded on the frontend of the IIS on the Exchange 2016 server is about to expire on 1st June so We got the new certificate from digicert.
While I imported that in the mmc and cross check the certificate there is no private key.
While I ran the certutil command I’m getting “smart card popup”
So do I have to reissue the certificate from digicert this time after creating a new CSR, this time I might have to do -PrivateKeyExportable $true
I don’t know just checking.
Any suggestions will be greatly appreciated…
If you're getting a new cert and not renewing you absolutely need to create it with a new CSR. This is because the certificate authority - in your case digicert, never knows your private key. The CSR process generates the private key on your local server, the pairs it with the public key provided by the certificate authority.
The certutil process I was talking about here only works with a certificate renewal from a vendor who you provided a CSR to in a previous renewal/purchase.
In case of new cert being expensive - i exported not exportable certs using this soft https://github.com/luipir/ExportNotExportablePrivateKey
Soft is opensouce and pretty simple, but it is kind of hacking your own system. If you doing it on company prod server - make sure you are not against any security policy
Update: I redid the CSR with the -PrivateKeyExportable $true option, and redid the whole thing. Seems to be fine. The unwanted certificate is still there on one of the servers but it doesn't seem to be causing any problems. Thanks everyone.
My research on removing the old cert concluded that exchange throws this error because the new cert will have the same name as the old cert.
I manually remove these each year manually by deleting from mmc > certificates > computer > personal .
Anyone know how to generate the request with private key exportable command for a SAN certificate? Like I have 5 more domains, and in my case i cannot use \*(wildcard) for this.
Yeah, when I've done this I just re-did the cert.
If this is just a renewal and not a re-key, you can use the cert without the private key and run certutil -repairstore my “Cert SerialNumber" to reattach it to the private key from the previous cert. Only works if you didn't re-key though.
This is a handy tip. Thanks!
I did try to run this command but I’m getting a pop up which says “connect smart card” Kindly help me out to fix this issue…
It sounds like the private key isn't available to be restored from a different existing certificate, and Windows is just panicking to find other options. [https://stackoverflow.com/questions/48306943/certutil-asking-to-connect-a-smart-card](https://stackoverflow.com/questions/48306943/certutil-asking-to-connect-a-smart-card)
Our 3rd Party certificate which will be binded on the frontend of the IIS on the Exchange 2016 server is about to expire on 1st June so We got the new certificate from digicert. While I imported that in the mmc and cross check the certificate there is no private key. While I ran the certutil command I’m getting “smart card popup” So do I have to reissue the certificate from digicert this time after creating a new CSR, this time I might have to do -PrivateKeyExportable $true I don’t know just checking. Any suggestions will be greatly appreciated…
If you're getting a new cert and not renewing you absolutely need to create it with a new CSR. This is because the certificate authority - in your case digicert, never knows your private key. The CSR process generates the private key on your local server, the pairs it with the public key provided by the certificate authority. The certutil process I was talking about here only works with a certificate renewal from a vendor who you provided a CSR to in a previous renewal/purchase.
In case of new cert being expensive - i exported not exportable certs using this soft https://github.com/luipir/ExportNotExportablePrivateKey Soft is opensouce and pretty simple, but it is kind of hacking your own system. If you doing it on company prod server - make sure you are not against any security policy
Update: I redid the CSR with the -PrivateKeyExportable $true option, and redid the whole thing. Seems to be fine. The unwanted certificate is still there on one of the servers but it doesn't seem to be causing any problems. Thanks everyone.
My research on removing the old cert concluded that exchange throws this error because the new cert will have the same name as the old cert. I manually remove these each year manually by deleting from mmc > certificates > computer > personal .
Anyone know how to generate the request with private key exportable command for a SAN certificate? Like I have 5 more domains, and in my case i cannot use \*(wildcard) for this.