Error “Cannot find the certificate request that is associated with this certificate file.” Feb 3, 2017
Error “Cannot find the certificate request that is associated with this certificate file.”
This error message occurs due to one or a combination of the following:
- The certificate file is formatted incorrectly or the wrong extension file is being used for the installation.
- The CSR for this certificate was never generated on this system.
- A private key mismatch may occur if the private key in Microsoft IIS does not match the certificate you are installing.
- The private key for this certificate has been corrupted, lost, or this is not the server on which the CSR was generated.
- The wrong certificate file is being used for the installation.
- You updated your system and lost the request.
The certificate file is formatted incorrectly or the wrong extension file is being used for the installation.
Copy and paste the certificate into a text file (save as .txt) using Vi or Notepad. Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file. You should have a text file that looks like:
Make sure you have 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white space, extra line breaks or additional characters have been inadvertently added.
Double check and make sure you created the CSR on this system. If you don’t know then find the original system.
Ensure that you do not delete the pending request on that Windows system. With IIS 6 (server 2003) systems that request can be easily deleted.
Sometimes if a software update to the system was applied the request can be lost.
Troubleshoot the missing pending request or missing private key by performing the following.
Step 1: Create an MMC Snap-in for Managing Certificates on a Windows server system:
- Start? >? run? >? MMC.
- Go into the Console Tab >? File >? Add/Remove Snap-in
- Click on? Add > Click on? Certificates and click on? Add.
- Choose? Computer Account > Next.
- Choose? Local Computer > Finish.
- Close the? Add Standalone Snap-in window.
- Click on? OK? at the? Add/Remove Snap-in window.
- You will be brought back into the management console where you will see your snap in.
Step 2: Importing your SSL certificate:
- Expand to Certificates (Local Computer) > Personal > Certificates
- Right click on Certificates and go to All Tasks > Import.
- The Certificate Import Wizard will appear click next.
- Specify the location and path of your SSL certificate by clicking Browse…
- Click Next.
Note:-You may have to change the file type you are looking for to All in the drop down menu in order to browse to your certificate in the open window.
- Click Next.
- Click Finish.
- You should receive a message stating “The import was successful,” Click OK.
- You should see your new certificate appear in the middle of the Personal Certificates pain with an Icon that has a little key on it.
- Further double check the certificate by double clicking it. If your certificate states “You have a private key that corresponds to this certificate.” This means your SSL Certificate was able to marry with its private key, and is now ready for binding to its services, export, etc...
- Click OK.
If you still do not see a private key associated with your certificate then perform the following last resort troubleshooting tactic:
- With your SSL certificate now imported into MMC Double Click your SSL Certificate.
- On the certificate information window that opens, select the Details tab, scroll down and select the Thumbprint field from the list.
- The Thumbprint will appear in the box below; select the thumbprint and copy to clipboard (click anywhere in the box, then press Ctrl+A followed by Ctrl+C on the keyboard)
- Open up a Command Prompt (CMD) and run as an administrator and run the following command.
- certutil -repairstore my “<thumbprint>”
Note: If you right click on CMD you will have a paste feature to paste the copied thumbprint in-between the quotes.
- The command should similar to:
certutil -repairstore my “00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f”
- Note: If you see a Question Mark? In the front of your thumbprint delete it.
- If the command completes successfully, you will see a bunch of information with the following message appearing at the bottom:
CertUtil: -repairstore command completed successfully.
- Double check the certificate back in MMC by double clicking it. If your certificate states “You have a private key that corresponds to this certificate.” This means your SSL Certificate was able to match with its private key, and is now ready for binding to its services, export, etc...
Note: If your imported SSL certificate and it does not state you have a private key then your private key was either corrupted or never generated on this system. You will have to start from scratch generating a new CSR > Perform a reissue of the SSL Certificate > then perform SSL Certificate installation.
You can now go back to Exchange or IIS and press F5 on your keyboard to refresh the Exchange or IIS application. Your new certificate should appear now that it has the private key. This means you can now assign the services and bind it to your websites.