IIS - Assign Existing Private Key to a reissued EV certificate

Follow this guide to reassign the existing private key after a reissue of an EV certificate with the original CSR.

Open the Local Machine Certificate Store

  1. Click Start → Run, type mmc and select OK.

    IIS - Bestaande private key toewijzen aan nieuw certificaat

  2. Go to the File menu and select Add/Remove Snap in.

    IIS - Bestaande private key toewijzen aan nieuw certificaat

  3. Select Certificates from the Add or Remove Snap-ins box and click Add.

    IIS - Bestaande private key toewijzen aan nieuw certificaat


  4. Select Computer Account and click Next.

    IIS - Bestaande private key toewijzen aan nieuw certificaat

  5. Select Local Computer and click Finish.

    IIS - Bestaande private key toewijzen aan nieuw certificaat

  6. Close the Add Standalone Snap-in box by clicking OK and return to the mmc.

Installation new certificate

  1. Expand Certificates in the Certificates snap-in dialogue window. Right-click Personal folder, go to All Tasks and click Import.
  2. Click Next on the Welcome to the Certificate Import Wizard.
  3. Select Browse... on the File to Import page.
  4. Navigate to the new Certificate, select it and click Open. Click Next.
  5. On the Certificate Store page, click Place all certificates in the following store, and click on Browse.
  6. Choose the Personal certificate store in the Select Certificate Store window and click OK.
  7. Click Next and then Finish to finish the import process.
  8. Right-click on your new certificate and select Properties
  9. Enter a short, unique friendly name in the top-most field, and click apply.

Assign Private Key to new certificate

Now that the new certificate is physically present on the server, the existing private key can be linked to the new certificate through the PowerShell when it is executed as an administrator;

  1. Open Power Shell with administrator privileges.
  2. Enter and run the following command: dir Cert:\LocalMachine\My -Recurse |Where-Object { $_.Issuer -like "*Extended Validation*" }| select -expandproperty SerialNumber | certutil -repairstore my $_.
  3. The new certificate should have the original private key attached now. This can be checked by double-clicking on the certificate: the message must be at the bottom:
    You have a private key that corresponds with this certificate.
  4. The certificates can now be used with your server application like IIS or Exchange.

SSLCheck

Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues

point up