Certutil -repairestore my [serial#] or [thumbprint] command failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
s2mb.net

I ran this command:
certutil -repairestore my [serial#]
certutil -repairestore my [thumbprint]

It produced this output:
certutil: -repairstore command failed 0x80090011 (-2146893807 NTE_NOT_FOUND)
certutil: object was not found

My web server is (include version):
IIS ver10

The operating system my web server runs on is (include version):
MS Windows Server 2016

My hosting provider, if applicable, is:
Godaddy

I can login to a root shell on my machine (yes or no, or I don't know):
I have a VPS server and RDP into it

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No control panel. See above on how I access my server

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.19.0

What are you trying to do and why?

Sorry my question was unnecessarily abrupt, your obviously trying to use certutil to repair your certificate store but how have you arrived at this particular task? Do you already have a certificate, if so which tool did you use to get it and has it been stored on the local machine already?

@moone33 I just want to add some extra info but @webprofusion is more of an expert on your kind of system so please respond to him.

The only valid certificate you have is for only the name www.s2mb.net. See:
https://crt.sh/?Identity=s2mb.net&deduplicate=Y

Your prior GoDaddy certs had both s2mb.net and www.s2mb.net

Your system is currently sending a self-signed cert with name s2mb

Hi,

My private key is missing from Certificate dialog box and its not in the IIS binding site drop down. So I found topics to use the certutil repairstore similar to the screen shot below

Inline image825×827 67.5 KB

Mario
If you can dream it, its obtainable, if you have the desire!

Hi webprofusion

I used cerbot -certonly and received files in the screen shot below. The files are stored on c: drive on the VPS server.

Mario
If you can dream it, its obtainable, if you have the desire!

The self signed is my WMSVC - Web Management Service

Mario
If you can dream it, its obtainable, if you have the desire!

Ah I see, I think you've installed the public certificate but not the private key that goes with it. The convention on windows is convert your fullchain.pem and privkey.pem to a PFX file (which is a PKCS12 certificate container), then install that. That way windows knows to store the private key (privately!) and it can be seen by the relevant windows services.

You can use openssl commands to convert the files to PFX, and there may be a way to import the privkey.pem individually but I've never tried that.

There are many ways to do Let's Encrypt certificates on Windows but I'd suggest trying out the app I develop (which is a full GUI with integrated IIS support) https://certifytheweb.com to see if it works better for you. Another popular (command line) option is win-acme.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.