Score:0

IIS10 SSL Renewal cert disappears

in flag

we were notified by GD that our wildcard SSL cert would be expiring and they helpfully have supplied a new one.. .I say new one I mean 3 files (a .crt, a .pem and a .p7b though I've no idea what the latter two are).

I can't believe it's quite as complicated as it appears to be... I thought I could just right click on the expiring cert, click renew... the select complete certificate request provide the .crt file that was provided by GD and that would be that... when I do that, nothing happens... it sits and thinks for a while then the screen disappears... I asked the man at GD if it would automatically kick over to the new cert when the old one expired but I wasn't confident he knew that would be the case....

Can anyone give me a definitive answer on how to renew an exist SSL cert in IIS ?

cre8toruk avatar
in flag
I should add that I tried putting the date on the computer forward to a day after the cert should expire and all I got when I tried to view the site was a message saying the certificate had expired.
Score:0
vn flag

The real reason behind the disappearing certificate from IIS Manager is documented in my blog post. Your situation is not different, as .crt you received contains only the certificate, so IIS Manager cannot locate the original private key. I don't use GD for certificates, so I don't know what they sent you in the .pem and .p7b files either.

What you should do is to contact GD for instructions on how to move on. You need to ask them which private key they targeted when generating the new certificate. If they said that they went against your old private key (which you used to request the old certificate), then you need to locate that (such as exporting it from your current machine). Then you can merge the private key with the new certificate as PFX and import into IIS Manager.

Hire a consultant if you can, as I doubt how many server administrators know every details of certificates.

Score:0
cn flag

I thought I could just right click on the expiring cert, click renew...

that's wrong. This action attempts to generate new request and submit request to Microsoft CA.

If you were given the certificate in .crt format, then you must install it to Local Machine\Personal (via certlm.msc) and then run the command in elevated command prompt:

certutil -repairstore my "<CertThumbprint>"

I can assume that new certificate contains same public key. If it is the case, the command above will re-associate new certificate with private key and then you can replace the certificate in IIS web site bindings.

cre8toruk avatar
in flag
Hi thanks for this.... I tried what you mentioned but I got an error; "CertUtil: - repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND) and then CertUtil: Object was not found.
cre8toruk avatar
in flag
scratch the above... I tried what you mentioned and I'm able to now select the cert but it claims to be issued by a different SSL CA other than GD... does that matteR?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.