I had a client issue a CertReq awhile ago and forgot to publish this post from a SharePoint 2007 created IIS Virtual Server being used for Staging and when the WebApp was removed, the choice to delete the IIS Virtual Server was chosen though the Content Db was not.
Since IIS had lost the link to the CertReq and it had to be reestablished in order to mark the private keys as exportable… You can still use the Cert from the response but without the keys it’s not exportable to another server.
Best practice would be to use the Default IIS Virtual Server, since it should never be removed and on a system where there is not activity, import the response, export and protect with a password to be used again.
To assign the existing private key to a new certificate, you must use the Microsoft Windows Server 2003 version of Certutil.exe.
There are two ways to recover the certificate:
CERTUTIL is the built-in Command Line tool to administer a Windows 2003 CA from the command line. CERTUTIL has several switches for CA administration and Key Recovery.
KRT.EXE The Key Recovery Tool (KRT.EXE) is a new tool which is part of the Windows Server 2003 Resource Kit Utilities. KRT is a GUI extension for the builtin Windows 2003 CA tool CERTUTIL. In this article, we will use the Key Recovery Tool (KRT).
certutil -repairstore my serial# from item 17
Note: KRT works with a Microsoft CA. By default CertUtil defaults to using a CA and not the local Store. I haven’t tried to use the certutil -store command then using KRT this may work?