> Summary: When processing an SSL certificate response in IIS, a private key is
> not generated with the certificate and, therefore, SSL does not function on
> the site.  IIS and Certificates.mmc believe there is a private key, but when
> I try to export one it fails with "The associated private key cannot be
> found".  Details below.
>
> In IIS's "Web Server Certificate Wizard" I am able to complete the "Process
> the Pending Request" step as expected.  Afterwards, however, the website
> properties do not allow me to "View Certificate".  If I return to the wizard
> it acts as though I don't have a certificate.  If I choose "Assign an
> existing certificate" and select the recently imported certificate, however,
> then I am unable to connect to the site via HTTPS ("Internet Explorer cannot
> display the webpage").  
>
> If I view the certificate in the MMC Certificates snap-in, I can see the
> certificate.  If I open it, I am informed "You have a private key that
> corresponds to this certificate".  When I try to export it, however, the
> option to export the private key is disabled; the dialogue box notes: "The
> associated private key cannot be found.  Only the certificate can be
> exported."  
>
> Clearly, the processing of the SSL certificate response is failing - but
> why?  No error is provided when processing the response, nor does the event
> log contain any relevent errors or warnings.  I've tried this with both
> self-signed certificates as well as a GeoTrust-issued certificate; same
> result.  
>
> Note: This server contains a number of SSL sites.  I can use certificates
> issued in the past or which have been imported (with private keys) from other
> servers without a problem; the ports, router, bindings, etc are setup
> properly.  Using a newly issued certificate, however, fails.  I could work
> around this by requesting/processing the certificate on another server; as
> this is our primary web server, however, I'd like to resolve the underlying
> issue.
>
> Tyrven

> David,
>
> "Download SSL Diagnostics 1.1 from Microsoft.com and use it to diagnose
> and resolve your issue(s) with SSL."
>
> I know why SSL isn't working: there isn't a private key.  What I don't know
> is WHY the private key isn't being generated by the "Process pending request"
> option.
>
> Note that I am able to work around this by requesting/processing a request
> on a separate machine (my local Vista workstation, for example), then
> transfering the generated PFX into the certificate store on the IIS machine.  
> I can still use the Certificate Authority on the IIS machine to issue a
> self-signed certificate.  The issue is exclusively with the ability of IIS to
> process a certificate response.
>
> > It is not clear to me whether you are saying:
> > 1. It is not possible to use IIS to Request/Process a certificate
> > request to enable SSL on a website.
> > 2. OR it used to work on this IIS server but not any more.
>
> Both statements are true.  The Request/Process wizard works fine (no errors)
> but the result is an "orphaned" public key (no private key generated).  This
> process worked up to six months ago (roughly); keys generated via IIS before
> that are functional (but many are expiring); key generated (either new or
> renewed) are orphaned.
>
> > It is also not clear to me whether you installed the SSL Certificate
> > in the LocalMachine's Personal store or not, nor if you installed the
> > SSL Certificate with or without "export" capability.
>
> When using the Request/Process wizard, these are not options.  The SSL
> Certificate is automatically imported into the Local Machine ("My Computer")
> Personal store with export capability.  I could manually import the
> certifcate response from the Certificate Authority - but that wouldn't result
> in processing a private key.
>
> Hope this helps clarify the issue.
>
> Tyrven