How to provide a new private key?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: We own a certificate for the given domain. But we have no access to the password for the private key. The person who made this left the company. So how we can get a new private key with a new password. We saw the API method ‘’ but we don’t know if this is the right one and how to use it. Is there anywhere a detailed API documentation available ?

It produced this output: ?

My web server is (include version): IIS Version 10.0

The operating system my web server runs on is (include version): Windows Server 2016

My hosting provider, if applicable, is: MS Azure

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): win-acme.


is this a password with the account key or with the certificate key?

Easiest solution: Create a new Letsencrypt account.

Check the documentation of your win-acme client. If there are folders: Perhaps make a backup and delete these folders, then a new account should be created.

Hi Juergen,

thanks for the quick reply. I will try to find the documentation and delete the mentioned folder(s).

Best regards

@HV-BKW-SSL You can’t just “change” a private key of a certificate, as the public key which is included in the certificate is signed by the certificate authority. Therefore, only changing the key would invalidate that signature. The only option if there is no way to recover the private key, is to issue a brand new certificate.

Luckily for you, Let’s Encrypt certificates are free of charge and should be renewed anyway after about 60 days of issuance.

One Let’s Encrypt certificate for was issued in December, and five were issued yesterday. Are all of their private keys inaccessible?

A cPanel certificate was also issued yesterday.

@Osiris @mnordhoff

Thanks a lot for your assistance.

Yes I have created some certificates during my tests yesterday, because the currently used certificate for our serilog server has expired the day before. Luckily the creation of a new certificate was working because the Signer and Registration files which are used by the wacs.exe tool are still available.

If I create a certificate with the wacs.exe tool which should be stored directly in the IIS or Windows Certification Store the password for the private key is not neccessary. But if I create a certificate which should be stored in a *.pfx file and try to import this file into the IIS or the Windows Certification Store the password is requested.

For now it is working, but if I find the time I have to create a new certificate where we know the password for the private key :wink:

Did you check your Application settings?

You can delete the password and you must mark the private key as


If not, a random password (not that of the person left the company) may be used.

Hello Juergen,

thanks also for your hint / advise. I will check the documentation and the application settings. Currently the Security in the config file is set like this:

“Security”: {
“RSAKeyBits”: 3072,
“ECCurve”: “xxx”,
"PrivateKeyExportable": false,
“EncryptConfig”: true

So the private key is obviously not marked as exportable.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.