Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: We own a certificate for the given domain. But we have no access to the password for the private key. The person who made this left the company. So how we can get a new private key with a new password. We saw the API method ‘https://acme-v02.api.letsencrypt.org/acme/key-change’ but we don’t know if this is the right one and how to use it. Is there anywhere a detailed API documentation available ?
It produced this output: ?
My web server is (include version): IIS Version 10.0
The operating system my web server runs on is (include version): Windows Server 2016
My hosting provider, if applicable, is: MS Azure
I can login to a root shell on my machine (yes or no, or I don’t know): YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): win-acme.2.1.3.671
is this a password with the account key or with the certificate key?
Easiest solution: Create a new Letsencrypt account.
Check the documentation of your win-acme client. If there are folders: Perhaps make a backup and delete these folders, then a new account should be created.
@HV-BKW-SSL You can’t just “change” a private key of a certificate, as the public key which is included in the certificate is signed by the certificate authority. Therefore, only changing the key would invalidate that signature. The only option if there is no way to recover the private key, is to issue a brand new certificate.
Luckily for you, Let’s Encrypt certificates are free of charge and should be renewed anyway after about 60 days of issuance.
One Let’s Encrypt certificate for serilog.westeurope.cloudapp.azure.com was issued in December, and five were issued yesterday. Are all of their private keys inaccessible?
Yes I have created some certificates during my tests yesterday, because the currently used certificate for our serilog server has expired the day before. Luckily the creation of a new certificate was working because the Signer and Registration files which are used by the wacs.exe tool are still available.
If I create a certificate with the wacs.exe tool which should be stored directly in the IIS or Windows Certification Store the password for the private key is not neccessary. But if I create a certificate which should be stored in a *.pfx file and try to import this file into the IIS or the Windows Certification Store the password is requested.
For now it is working, but if I find the time I have to create a new certificate where we know the password for the private key
thanks also for your hint / advise. I will check the documentation and the application settings. Currently the Security in the config file is set like this:
