Windows   Windows – Renew certificate assigning the same private key



When renewing a certificate it is not necessary to generate a new csr. This is possible by maintaining the same private key.

When received the renewed certificate from the 3rd party certification authority, we can try to import it and assign the private key from the management console (mmc -> certificates).
One of the options that are shown when right clicking the certificate is “Renew This Certificate with the Same Key”:
"Renew This Certificate with the Same key..." option

However, attempting to use it may return the error
"Renew This Certificate with the Same key..." option
"Renew This Certificate with the Same key..." option enrollment error

Instead we can import the certificate and then assign the corresponding private key

Import certificate

To import it, we open the certificate (on local computer) and import it into the personal store
Import certificate mmc
Import certificate mmc
Import certificate mmc
Import certificate mmc
Import certificate mmc

Now we have it in the computer personal store but without private key
Certificate without private key assigned

Assign private key using certutil

This command can be used with the -repairstore switch to assign the corresponding private key to it.

certutil -repairstore my <certificate serial number>

The serial number can be obtained in the details section of the certificate:
Certificate details showing serial number

This would be the result of the command:

C:\>certutil -repairstore my 4cc8ac76a91234560000000050db339a

my
================ Certificate 5 ================
Serial Number: 4cc8ac76a912345600000050db339a
Issuer: CN=Entrust Certification Authority - L1K, OU=(c) 2012 Entrust, Inc. - fo
r authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

 NotBefore: 24/01/2017 10:54
 NotAfter: 20/02/2018 11:24
Subject: CN=*.domain.com, O=MyOrg, L=MyCity, S=MyRegion,
C=ES
Non-root Certificate
Template:
Cert Hash(sha1): 12 34 56 78 fd ad fa ac 83 97 1d d3 e4 28 01 12 34 56 78 00
  Key Container = le-0c4abe60-d89d-4ebd-afe2-8f7329e32c49
  Unique container name: cbcdbb8d8c1e0dc84c1da529ddd00686_9bfb925-8386-487d-843
7-84bfb8501d68
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully.

After which we can see that the result has been satisfactory
Certificate with private key assigned

Leave a Reply

Your email address will not be published. Required fields are marked *