Symantec instructions

When installing a SSL certificate, the following error may appear in the IIS Certificate Wizard: The pending certificate request for this response file was not found.
This error indicates that the pending request that was created when originally enrolling or renewing a certificate has been damaged or deleted.
It may still be possible to install the certificate from the command line using certutil.exe.

The following instructions apply to Windows Server 2003 (IIS 6), 2008 (IIS 7) and 2012 (IIS 8):

  1. Download the SSL certificate & Intermediate CA Certificate from the Symantec Trust Center in X.509 format by selecting Other as the Server Platform.
  2. Open a command prompt (click Start, point to Run, type cmd and then click OK.
  3. Navigate to the folder used in steps 1 and 2, then run the following three commands:
    certutil -addstore my ssl_certificate.cer
    certutil -addstore ca intermediate.cer
    All of the commands should complete successfully with the following message: CertUtil: -addstore command completed successfully.
  4. Open a Windows Explorer window, navigate to the folder from steps 1 and 2, double-click the file ssl_certificate.cer.
  5. On the certificate information window that opens, select the Details tab, scroll down and select the Thumbprint field from the list.
  6. The Thumbprint will appear in the box below; select the thumbprint and copy to clipboard (click anywhere in the box, then press Ctrl+A followed by Ctrl+C on the keyboard)


  7. Return to the command prompt window and run the following command - paste in the thumbprint as indicated:
    certutil -repairstore my ""
    The command should similar to:
    certutil -repairstore my "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f"
    If the command completes successfully, the following message will appear:
    CertUtil: -repairstore command completed successfully
    If the command fails, continue from Step 10.
  8. The certificate is now installed on to the server and needs to be assigned in IIS.
  9. Depending on the server platform version, refer to one of the following instructions to assign the certificate in IIS:
    • Windows Server 2003 (IIS 6), refer to the "Step 1: Installing SSL Certificate into IIS 6.0" section for details.
    • Windows Server 2008 (IIS 7), refer to the "Step 1: Prepare the server" section, then go to "Step 3: Binding certificate to the web site" for details.
    • Windows Server 2012 (IIS 8), refer to the "Step 2: Prepare the server" section, then go to "Step 4: Binding certificate to the web site" for details.
  10. If the repairstore command from Step 8 fails, one of the following appears instead:
    CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807)
    CertUtil: Object was not found
    CertUtil: -repairstore command FAILED: 0x8009000b (-2146893811)
    CertUtil: Key does not exist
    This means that the request has been damaged beyond repair or deleted completely and the certificate cannot be installed. Instead, the certificate needs to be revoked and replaced (generate a new CSR, request a replacement online and install the resulting new certificate in to IIS).

Microsoft instructions

IIS stores the private key for a certificate as the pending request. Deleting the pending request deletes the association of the private key with IIS, but the private key still exists in the certificate store. To install the certificate without having the pending request available, you can use version 5.2.3718.0 of the certutil.exe command-line tool that is available through the Certificate Services MMC snap-in in Windows Server 2003.

The following instructions apply to (IIS 6).

To install a Web server certificate that lacks a pending certificate request:

  1. Click Start, point to Run, type cmd, and then click OK.
  2. Navigate to the directory where certutil.exe is stored; by default, this is %windir%\system32.
  3. Type the following command at the command prompt: certutil -addstore my certnew.cer
    where certnew.cer is the name of the certificate you received from the certification authority (CA). You should see the following message: CertUtil: -addstore command completed successfully.
  4. Navigate to the directory where you stored the certificate you received from the CA. Right-click the certificate and then point to Properties.
  5. Click the Details tab and select in the Show drop-down list.
  6. In the Field list, select Thumbprint to display its value in the view pane.
  7. Select the Thumbprint value in the view pane and then click CTRL+C.
  8. Return to the command prompt window and type the following command: certutil -repairstore my "thumbprint"
    where thumbprint is the value of the Thumbprint field.
    Be sure to type the double quotes as part of the command.
    If the command is successful, the following message is displayed: "Encryption test passed CertUtil: = repairstore command completed successfully".
  9. Install the server certificate on your Web server.


If the certutil command does not complete successfully, the following error message is displayed: "Certutil: -repairstore command FAILED: 0x80090011 (-2146893807) Certutil: Object was not found." This message indicates that the private key for the certificate does not exist in the certificate store. You cannot install the certificate you obtained from the CA. Instead, you must generate a new certificate request, obtain the new certificate, and install that new certificate on your Web server.

Click here to view the procedure for importing .cer through Microsoft Management Console (MMC) rather than certutil command line.