'MANAGE PRIVATE KEYS' option missing

Question

I'm developing WCF service with Transport Security hosted on IIS 7.5 under Windows 2008R2. I have a certificate, generated in IIS 7.5 which is stored in Local folder.

When I use BasicHttpBinding or WSHttpBinding with Transport Security - everything works fine. But when I change it to NetTcp I get an exception :

 CryptographicException 'Keyset does not exist'.

After a bit of googling I found out that the problem can be because my NETSERVICE IIS account doesn't have premission to the private key of my certificate.

The solution could be to set the rights to accesss in MMC by right-clicking on my certificate and selecting "MANAGE PRIVATE KEYS" option. But there is no such option in the select menu!!! The Certificate was created under administrator account and where I open it - it says, that it has private key. What I'm I doing wrong?

Give the account rights to the file that has the private key. Don't remember off-hand where that exists, but it's findable. — zimdanen, Jan 15 '13 at 13:32
How to find this file? In Windows server 2003 (http://geekswithblogs.net/technetbytes/archive/2011/10/12/147281.aspx) it is quite easy, but in Windows server 2008 I cant find its location? Maybe you know where it is? — Alex, Jan 15 '13 at 13:40
seems to not work when connecting to a remote server's certificate store even when running as admin and logging in with admin credentials. In addition if you select 'export' then the 'export private key' is grayed out :-( — Simon_Weaver, Apr 17 '17 at 08:41

score 27 · Answer 1 · answered Mar 19 '14 at 03:48

27

Go to server -> click Start -> Run -> type mmc -> enter -> select Certificates snap-in with Local Computer option -> Go to Console Root-> Certificates-> Personal-> Certificates-> Select a cert-> Right click-> Go to All tasks-> Manage Private Keys-> Add permissions

answered Mar 19 '14 at 03:48

Manish Jain

9,569
5
39
44

6

Just adding -> For 'Manage Private Keys' you should import .pfx file not .cer – Himalaya Garg Oct 20 '18 at 05:51

score 16 · Answer 2 · answered Dec 06 '18 at 12:16

16

In Windows 10 1809, it seems that the Manage Private Keys option is available only to certificates in the Personal store. The workaround is to drag and drop the certificate there, add permissions as needed and drag it back to where you need it.

answered Dec 06 '18 at 12:16

Igor Levicki

1,017
10
17

score 11 · Answer 3 · answered Jun 16 '16 at 19:36

Manage Private Keys option was missing when I first tried adding the certificates. Finally corrected it by following two steps.

Ran MMC as an administrator. File-> Add or remove Snap-ins-> Select Certificates -> Click on Add button.This will open a dialog. This snap-in will always manage certificate for : choose Computer account. Select the computer you want this snap-in to manage : choose Local computer. Click Finish. Click ok.
When you import the certificates(All tasks -> Import) in the Personal Folder, Make sure you are importing the .pfx file and NOT the .cer file.

I'll second this, had the same problem, was served a .cer file and not .pfx from the customer :) — Squazz, Aug 18 '16 at 11:17

score 10 · Answer 4 · answered Jul 08 '13 at 20:43

10

I had this same problem (Manage Private Keys option missing). In order to get it to appear I had to add the Certificates snap-in using the "Computer account" option instead of the default "My user account"

answered Jul 08 '13 at 20:43

kbeal2k

672
1
5
20

score 3 · Answer 5 · edited Jun 20 '20 at 09:12

The Manage Private Keys Option is only available for certificates with an exportable private key

In my case, I experienced this problem despite configuring the Certificates snap-in to access the COMPUTER account. Further, the suggestion to get a .PFX certificate in this answer isn't an option for me.

I solved the problem by specifying that the private key be exportable when creating the certificate request (which I'm doing via the Certificates MMC snap-in):

Even though the certificate I got back from the public CA was a .CER file, the Manage Private Keys menu option was available for it. I don't know a lot about certificates, but I conclude that the menu option only appears when the private key can be exported. In light of this answer, perhaps certificates in the .PFX format always allow this to be done. Nonetheless, it's good to know it's possible for other certificate formats.

score 1 · Answer 6 · edited Feb 09 '16 at 17:19

1

There can be one other problem, so I will mention it. Except -pe argument when creating a certificate using makecert.exe, be sure you are importing the .pfx file, not the .cer. If there is not a .pfx file, use an additional tool such as pvk2pfx.exe to created.

edited Feb 09 '16 at 17:19

Athafoud

2,898
3
40
58

answered Feb 09 '16 at 15:40

Divisadero

895
5
18

score -1 · Answer 7 · answered Nov 21 '18 at 13:28

Open the Command Prompt (Run as Administrator)
Enter and execute command,
certutil -repairstore my "thumbprint" (replace thumbprint with the 32 characters)
If succesful, you will recieve message,
certUtil: -repairstore command completed successfully.

'MANAGE PRIVATE KEYS' option missing

7 Answers7

The Manage Private Keys Option is only available for certificates with an exportable private key

Linked