Knowledge

ERROR_IPSEC_IKE_NO_PRIVATE_KEY - 13820 (0x35FC)

IKE negotiation failed because the machine certificate used does not have a private key. IPsec certificates require a private key. Contact your Network Security administrator about replacing with a certificate that has a private key.

Updated: Feb 21, 2026

Technical Background

The ERROR_IPSEC_IKE_NO_PRIVATE_KEY error code indicates that the Internet Protocol Security (IPsec) Internet Key Exchange (IKE) negotiation process has failed because the machine certificate used does not contain a private key. This is a critical requirement for IPsec operations, as the private key is necessary for establishing secure communication channels.

Error Details

  • Error Name: ERROR_IPSEC_IKE_NO_PRIVATE_KEY
  • Numeric Code: 13820 (0x35FC)
  • Short Description: IKE negotiation failed due to missing private key in the machine certificate.

Common Causes

The error is typically caused by one of the following scenarios:

  • The machine certificate does not have a corresponding private key.
  • The certificate store or certificate itself has been corrupted or tampered with.
  • The certificate was issued without including the private key, which is uncommon but possible in certain cases.

Real-World Context

This error can occur during various IPsec operations such as establishing secure connections over Virtual Private Networks (VPNs) or other encrypted network communications. It is essential to ensure that all certificates used for IPsec have both public and private keys properly configured.

Is This Error Critical?

Yes, this error is critical because it prevents the establishment of a secure connection using IPsec. Without a valid private key, the security mechanisms required by IPsec cannot be implemented, leading to potential vulnerabilities in network communications.

How to Diagnose

To diagnose this issue:

  1. Review the Certificate Store: Ensure that the certificate used for IPsec has both public and private keys. Use tools like certutil or the Microsoft Management Console (MMC) Certificates snap-in to inspect the certificate details.
  2. Check Certificate Issuance: Verify that the certificate was issued with a private key. Some certificate authorities might not include the private key in the certificate issuance process, which can lead to this error.
  3. Validate Private Key Access: Ensure that the system has access to the private key associated with the certificate. This includes checking file permissions and any other security settings that may affect key access.

How to Resolve

To resolve this issue:

  1. Replace the Certificate: Contact your network security administrator or certificate authority (CA) to obtain a new certificate that includes both public and private keys.
  2. Reinstall the Certificate: If the certificate is already in the store but missing the private key, you may need to reinstall it with the correct key.
  3. Check for Corruption: Ensure that the certificate store or certificate itself has not been corrupted. Use tools like certutil to check for any signs of corruption and repair if necessary.

Developer Notes

When implementing IPsec in your applications, ensure that all certificates used have both public and private keys. This is a fundamental requirement for establishing secure connections. Additionally, regular audits of certificate stores can help prevent such issues from arising.

Related Errors

  • ERROR_IPSEC_IKE_CERT_INVALID (13824): Indicates an invalid certificate was encountered during the IKE negotiation process.
  • ERROR_IPSEC_KEY_USAGE_MISMATCH (13826): Occurs when the key usage of a certificate does not match the required usage for IPsec operations.

FAQ

Q: What causes the ERROR_IPSEC_IKE_NO_PRIVATE_KEY error?

A: The error occurs when the machine certificate used in an IKE negotiation lacks a private key, which is necessary for establishing secure connections using IPsec.

Q: How can I prevent this error from occurring?

A: Ensure that all certificates used for IPsec operations have both public and private keys. Regularly audit your certificate stores to maintain the integrity of your security infrastructure.

Q: Can this error be resolved without administrative intervention?

A: In most cases, resolving this error requires administrative action such as obtaining a new certificate or reinstalling existing certificates with the correct key.

Summary

The ERROR_IPSEC_IKE_NO_PRIVATE_KEY error indicates that an IPsec IKE negotiation has failed due to the absence of a private key in the machine certificate. This is a critical issue that can compromise network security. Proper management and maintenance of certificates, including ensuring they contain both public and private keys, are essential for preventing this error.