Lync 2013 / 2010 – Public Edge Certificate missing its private key


Recently i have seen the issue of your public cert missing its key on import. The situation is when you create the required .req for your public certificate on edge you send the details off to the certificate authority of choice. Once they create and return the .crt file and the necessary trusted root and intermediate certs you import them into the Lync edge server only to find that the ‘sip.<domainname>.com’ cert is missing its private key.?

Why would this be the case when you originally generated the request on the Lync edge server? At this moment the only reason i can see is if another certificate with the same name has previously been imported onto the server. Apart from them i cannot find any other logical reason for why sometimes the newly imported certificate misses the private key.

if you are in this position, the simple fix to the cert is as follows

– On the imported certificate without the private key, double click the cert to show the information associated with it. Click on the details tab and look for the field called ‘Serial’. Copy the serial key into notepad and remove the spaces below the unique code. ie

WAS 5a 12 6e 7e ee 11  AMENDED 5a126e7e11

now still on the edge server open command prompt and type the following

certutil –repairstore my <Amended unique serial number>

eg: certutil –repairstore my 5a12637e11

press enter to commit it.

you will then be presented to information and also confirmation that the update has been successful.

now if you go into the certificate store and refresh you will see the certificate will now have the private key within it.

At this point you can go back to your Lync deployment wizard and assign the public cert to your edge server.

Job Complete


Iain S