Lync 2013 / 2010 – Public Edge Certificate missing its private key

Recently i have seen the issue of your public cert missing its key on import. The situation is when you create the required .req for your public certificate on edge you send the details off to the certificate authority of choice. Once they create and return the .crt file and the necessary trusted root and intermediate certs you import them into the Lync edge server only to find that the ‘sip.<domainname>.com’ cert is missing its private key.?

Why would this be the case when you originally generated the request on the Lync edge server? At this moment the only reason i can see is if another certificate with the same name has previously been imported onto the server. Apart from them i cannot find any other logical reason for why sometimes the newly imported certificate misses the private key.

if you are in this position, the simple fix to the cert is as follows

– On the imported certificate without the private key, double click the cert to show the information associated with it. Click on the details tab and look for the field called ‘Serial’. Copy the serial key into notepad and remove the spaces below the unique code. ie

WAS 5a 12 6e 7e ee 11  AMENDED 5a126e7e11

now still on the edge server open command prompt and type the following

certutil –repairstore my <Amended unique serial number>

eg: certutil –repairstore my 5a12637e11

press enter to commit it.

you will then be presented to information and also confirmation that the update has been successful.

now if you go into the certificate store and refresh you will see the certificate will now have the private key within it.

At this point you can go back to your Lync deployment wizard and assign the public cert to your edge server.

Job Complete

Thanks

Iain S

Advertisements

5 thoughts on “Lync 2013 / 2010 – Public Edge Certificate missing its private key

  1. Pingback: Lync 2013 / 2010 – Public Edge Certificate missing its private key | NorthernLync « JC's Blog-O-Gibberish

  2. I had a similar issue recently with an Exchange Server certificate renew, the CA used by a client automatically sent out a new certificate without them generating a new request first. And upon importing the certificate, it didn’t show up with a key. I just had to run those same commands you mentioned above, to ‘associate’ the server’s existing / original private key with the newly imported certificate. Everybody should take the time to learn about certutil.

  3. Nice Work, its an odd issue that when correctly generating the certreq from the lync deployment wizard that the Private key wouldnt show, anyways this fixed my issue for the internal edge certand now has a corresponding private key

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s