diff --git a/doc/100-General/10-Changelog.md b/doc/100-General/10-Changelog.md
index 1265a03..606144e 100644
--- a/doc/100-General/10-Changelog.md
+++ b/doc/100-General/10-Changelog.md
@@ -14,6 +14,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 ### Bugfixes
 
 * [#683](https://github.com/Icinga/icinga-powershell-framework/pull/683) Fixes JEA installer to exclude domain from user name length check, which can easily exceed the Windows 20 digits username limit
+* [#686](https://github.com/Icinga/icinga-powershell-framework/pull/686) Fixes certutil error handling and message output in case the icingaforwindows.pfx could not be created
 
 ### Enhancements
 
diff --git a/lib/webserver/ConvertTo-IcingaX509Certificate.psm1 b/lib/webserver/ConvertTo-IcingaX509Certificate.psm1
index b3a4915..5c2e0a6 100644
--- a/lib/webserver/ConvertTo-IcingaX509Certificate.psm1
+++ b/lib/webserver/ConvertTo-IcingaX509Certificate.psm1
@@ -44,14 +44,16 @@ function ConvertTo-IcingaX509Certificate()
         [string]::Format(
             'Certutil merge request has been completed. Certutil message:{0}{0}{1}',
             (New-IcingaNewLine),
-            $CertUtilOutput
+            ($CertUtilOutput | Out-String)
         )
     );
 
     # If no target file exists afterwards (a valid PFX certificate)
     # then throw an exception
     if (-Not (Test-Path $TargetFile)) {
-        throw 'The specified/created certificate file could not be found.';
+        [string]$ErrMessage = [string]::Format('Unable to create the Icinga for Windows certificate file "icingaforwindows.pfx". Certutil output:{0}{1}', (New-IcingaNewLine), ($CertUtilOutput | Out-String));
+        Write-IcingaConsoleError $ErrMessage;
+        throw $ErrMessage;
     }
 
     # Now load the actual certificate from the path