I have bought an official Thawte certificate to secure a self hosted (console application) web service over a specific port on our internet server. I then have received the Thawte certificate and installed it with mmc on our Internet server (the certificate then was viewable under „Trusted Root Certification Authorities“ (with the key icon on the image, what shows that the certificate contains a private key what is mandatory to be able to bind it to a port b.t.w.) .

Next step was to enable the <port> for https:

netsh http add urlacl url=https://+:<port>/ user=everyone

(what was no problem)

Next step was to enable the port () for https:

netsh http add sslcert ipport=0.0.0.0:<port> certhash=<thumbprint to certificate> appid={<guid to application>}

This has failed with the error message:
SSL Certificate add failed, Error: 1312 A specified logon session does not exists. It may be already have been terminated.

I then have searched the Internet and tried various suggested workaround’s (without success).

The solution for my case was to add certstorename=Root to the netsh command:

netsh http add sslcert ipport=0.0.0.0:<port *1)> certstorename=Root certhash=<thumbprint to certificate *2)> appid={<guid to application *3)>}

Notes:
If no certstorename is applied to net netsh command, netsh takes the default, what is MY (what targets the certificate store: “Personal” where self signed certificates are stored normally).
Root targets the certificate store: „Trusted Root Certification Authorities“

*1): The port, you want to use the connection
*2): You can extract the thumbprint to the certificate, if you open the certificate (on a windows system, just doubleclick the certificate in explorer) - select tab “Details” and click on “Thumbprint”. The “thumbprint” then is showed and can be copied. Copy the Thumbprint and remove all spaces...
*3): As appid you can take any ID in the form {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} as the APPID is only informative. With the command “netsh http show sslcert” you can query the bound certificates on the whole machine and the will see informative, which appid is bound to which certificate (not really helpful in practice b.t.w.) In my case, I have took the (from VS generated) GUID to my web service application

The certstorename argument should be the string value of the StoreName enumeration from the .net framework namespace System.Security.Cryptography.X509Certificates.

IF you imported the certificate using .NET, specific import flags must be used:

/// <summary>
/// Imports X.509 certificate from file to certificate store.
/// </summary>
/// <param name="fileName">Certificate file.</param>
/// <param name="password">Password.</param>
/// <param name="storeName">Store name.</param>
/// <param name="storeLocation">Store location.</param>
public static void ImportCertificate(string fileName, string password, StoreName storeName, StoreLocation storeLocation) {
    var keyStorageFlags =
        X509KeyStorageFlags.PersistKeySet
        | (storeLocation == StoreLocation.LocalMachine ? X509KeyStorageFlags.MachineKeySet : X509KeyStorageFlags.UserKeySet);
    var cert = new X509Certificate2(fileName, password, keyStorageFlags);
    var store = new X509Store(storeName, storeLocation);
    store.Open(OpenFlags.MaxAllowed);
    store.Add(cert);
    store.Close();
}

The ImportCertificate method is a part of the Woof.Security package created by me.

• https://github.com/HTD/Woof.Security

• https://www.nuget.org/packages/Woof.Security/

I've been fighting error 1312 all day, what fixed it for me was to import the certificate in mmc as a .p12 file instead of a .crt. If you are creating it with OpenSSL then once you have created the .crt, do:

pkcs12 -export -in server.crt -inkey server.key -name “Your Name” -out server.p12

As described. When you go to import it in mmc it will be a called "Personal Information Exchange" file (and apparently a .pfx file would also work).

I'm new to writing servers and dealing with SSL and I have no idea why this works, but I hope it helps.

I had the same problem and solved importing the certificate using this command:

c:> certutil -importPFX certname.pfx

Now the certificate appear using this command:

c:> certutil -store my

before this command the certificate doesn't appear

I just had yet another error. I renewed an expired cert for our WorkFolders service from our CA using the same private key. Then I always got Error 1312. Even if Certificate Management shows I have a private key.
I could only solve the problem by re-issuing a new certificate (without the renew option). Then it worked on the first try.
Maybe this will help someone who also tried the renew option.