Certificate missing private key.

Sometimes when dealing with certificates, a problem occurs when the certificate does not have a private key assigned to it.

In regards to Lync for instance, it’s not possible to assign the certificate to any services when the private key is missing. The solution to this problem is rather simple, and well documented in Microsoft TechNet but i still choose to write a post about it i case someone stumbles accross it and finds it useful.

Import the certificate in the MMC certificate Snap-In as you would do with any other certificate for the computer account. The certificate shows up in the Personal certificate store. Then doubleclick the certificate in the Personal view, and select the Details tab.


  • Copy the serial number from the cerificate properties.
  • Start a command prompt with elevated rights and type the following command:
    certutil.exe -repairstore my “serialnumber of the certificate”
  • Refresh the Personal certificates view, and you will see that the certificate has now been assigned a private key.

Ready to go.


Just to make it clear, as it’s correctly pointed out by Lasse in the comments, it’s not possible to restore a private key to a certificate without actually having the private key in your cert store.




Lync Server 2013: Fix for Event ID 32054 (in an all 2013 environment)

After spending some time being frustrated over the repeated Event ID 32054 “Storage Service had an EWS Autodiscovery failure.” described in my previous blogpost “lync-server-2013-event-id-32054-ls-storage-service“, I finally came accross the solution for this problem.
Some of you might already know this, but I choose to post this anyway if, for some reason someone don’t. Continue reading “Lync Server 2013: Fix for Event ID 32054 (in an all 2013 environment)”

Updates for the Lync 2013 client.

Back from three weeks of vacation, and I thought I would share some news for a start 🙂

Check out this blogpost on the Lync Team Blog for an overview of the new features available With the Lync 2013 CU2.

Pay special attention to the new embedded images feature, which I’ve been asked about almost in every deployment I’ve made 🙂

Be aware that the server has to be updated With CU2 before the client features are available.

Event ID 14501, Lync 2013 FE on Windows Server 2012.

Recently I came accross a problem that I’ve never had before. The environment is a mixed environment of Windows Server 2008, 2008 R2 and Windows Server 2012.

I installed Lync Server 2013 FE on a standard Windows Server 2012(which I’ve done a couple of times before with no problems at all). Requested certificates from internal CA server, all went as expected. The Lync server fired up, and all services came online. No problems so far.
Then I tried to log on from a Client, and nothing happened. I immediately checked the Event logs to see what was wrong, and came accross this event:

Event ID 14501, LS Protocol Stack
Event ID 14501, LS Protocol Stack

The text is as follows:

A significant number of invalid certificates have been provided by remote IP address when attempting to establish an MTLS peer. There have been 10 such failures in the last 16 minutes.

Certificate Names associated with this peer were

The serial number of this certificate is .

The issuer of this certificate is The specific failure types and their counts are identified below. Instance count

– Failure Type 10    0x80090331(SEC_E_ALGORITHM_MISMATCH)

Turns out Lync server 2013(or the Windows Server 2012) is not very happy with the MD5 signature algorithm used by the local CA servers root certificate.

Change the CA’s signature algorithm, the one that the CA uses to sign its issued certificates after installation (sure, you cannot change the algorithm with which the CA’s own certificate is signed). This can be done in registry, in HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\…\CSP. There is the CNGHashAlgorithm (or HashAlgorithm) value, that contains the current signature algorithm. Change it to SHA1 and restart the CA service, from that point on, CA will be signing with the new algorithm. Also, you would have to update the internal root certificate With the New algorithm(recreate it).

Keep in mind that when this is done, you would have to make sure the new root certificate is published in your organization(most common way is by GPO’s). Also, consider the size of your organization and number of computers the certificates are deployed to(in my case, the organization was rather small and the number of certificates issued was very low).

Trouble installing ReachFonts.msi

Recently I had a strange experience when installing a new Lync 2013 Standard Edition server.

Normally, this is a straight forward procedure which (almost) never causes any problems. Just build the topology, publish and deploy server roles.

My problem started when I had finished building the topology and had installed the local replica of the CMS. Next step was to run Add or Remove Lync Server Components.

I started the procedure, and everything looked nice until it suddenly didn’t 😦

The Message was: Error returned when installing ReachFonts.msi



The problem was solved by copying the ReachFonts.msi file from the installation media to the following location on the server:

Restart the process, and everything works fine.

This may apply to similar problems with other files in the installation process. The file copied and the file replaced had the same date and size, so figure out why this should be a problem…