How to recreate a lost private key for a certificate

Friday, May 13, 2011
Occasionally a certificate will become corrupt or is installed without a properly generated private key.  Such is the case with a bare CER certificate file.  When this happens it will often no longer function with Exchange, IIS, or other web servers.
Here is how to recreate the private key for an installed certificate.
  • Open the Certificates management console (Start > Run > MMC > Add/Remove Snap-in > Certificates > Computer Account > Local Computer)
  • Expand Certificates (Local Computer) > Personal > Certificates
  • View the properties of the certificate you want to create a private key for.  On the Details tab, click Serial number.
  • Copy the serial number, as shown below, to the clipboard:
  • From an elevated CMD prompt, run the following command:

The output will look something like this, showing that the repairstore command completed successfully:

You will now see a small gold key in the icon for the certificate, indicating that you have the private key.  You will also see the message, "You have a private key that corresponds to this certificate" on the bottom of the properties of the certificate.

certutil -repairstore my "<Serial Number>"