problem to install a new ssl serversign bacause the old has expired

Posted on 2006-05-21
Last Modified: 2008-01-09

Actually my Serversign certificate for my domain has expired.
But I already asked a couple of week a new one. The company Globalsign suggested to me a new one and not a renewal of the old one because I should have to migrate my web site to another webserver (with another ip adress).
Then I received the new one (a file called cert_1112.pem).
I installed it as suggested by renaming it cert_1112.crt and clicked on the button 'install certificate'. I thought everything was ok because I received the message 'The import was succesfull' BUT in fact nothing happened.

In fact, we decide to not migrate from one server to another and stay on the actual server. And then my certificate has of course expired.

If I'm trying to install it trough the IIS panel and the 'web server certificate wizard', the only choice is 'Prepare the request now ,but send it later'. But the request was already done as explained above but not from this wizard.
Then what I have to do now ? It's very urgent!!!
Question by:yougy
    LVL 30

    Accepted Solution

    Remove the original certificate 1st... restart server..install new certificate.


    Turn your "new" certificate in for a renewal instead and apply that update.

    Author Comment

    I already remomed it, restarted the web server but it'as all the time the same choice with the 'web server certificate wizard'
    - Create a new certificate (en then 'prepare the request now, but send it later' suggestion)
    - assign an existing certificate (with the expired certificate)
    - import a certtificate from a key manager backup file

    Your second solution is not working. I renamed the new one with the cer extension and it's not accepted

    LVL 30

    Expert Comment

    Download and use the SSLDIAG tool from Microsoft.  It should help you reveal what's going on with the current SSL cert, versus the installation. Post your results.

    Author Comment

    Here is the log from ssldiag tool

    System time: Sun, 21 May 2006 15:58:31 GMT
    ModuleFileName: C:\Program Files\IIS Resources\SSLDiag\SSLDiag.exe
    OS: Windows 2000 Service Pack 4
    IIS5 - World Wide Web Publishing (W3SVC) service is installed

    [ HKLM\System\CurrentControlSet\Services\InetInfo\Parameters ]
    CertChainCacheOnlyUrlRetrieval = True(default)
    CheckCertRevocation = False(default)
    CertChainCheckUsage = False(default)
    sspifilt.dll loaded into process 1312 (inetinfo.exe)

    [ SChannel Info ]
    CacheSize = 10000
    Entries = 1
    ActiveEntries = 1

    [ W3SVC/1 ]
    ServerComment = Default Web Site
    ServerAutoStart = True
    ServerState = Server started
    SslCtlStoreName = CA
    SslCtlIdentifier = {6CBDBCB6-44AC-4B10-9BD0-714C24CCE303}
    #Could not impersonate server account
    SSLCertHash = 4b 35 8c 58 83 0c ed fc 8b ff ac bd 8b b1 47 f7 ab e4 4e ca
    SSLStoreName = MY
    #CertName =
    #You have a private key that corresponds to this certificate
    #ProvName='Microsoft RSA SChannel Cryptographic Provider' ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE
    #Subject: C=BE, S=Brussels, L=Brussels, O=xxx sprl, OU=XXX sprl,
    #Issuer: C=BE, O=GlobalSign nv-sa, OU=ServerSign CA, CN=GlobalSign ServerSign CA
    #Validity: From 5/20/2005 8:37:40 AM To 5/20/2006 8:37:40 AM
    SecureBindings =

    [ W3SVC/1/CTL ]
    Cert count = 1
    Cert_1 = GlobalSign Root CA

    [ W3SVC/1/Root ]
    AccessSSLFlags = 0 (0x0)

    Author Comment

    When I simulate a SSL handshake with this tool, here is the result :

    System time: Sun, 21 May 2006 17:47:51 GMT
    Connecting to my_ip_adress:443
    Handshake: 78 bytes sent
    Handshake: 2973 bytes received
    Handshake: 118 bytes sent
    Handshake: 43 bytes received
    Handshake succeeded
    Verifying server certificate, it might take a while...
    #WARNING:Error 0x800b0101 : The server certificate is expired
    #WARNING:Error 0x80092013
    Server certificate name:
    Server certificate subject: C=BE, S=Brussels, L=Brussels, O=xxx sprl, OU=xxx sprl,
    Server certificate issuer: C=BE, O=GlobalSign nv-sa, OU=ServerSign CA, CN=GlobalSign ServerSign CA
    Server certificate validity: From 5/20/2005 8:37:40 AM To 5/20/2006 8:37:40 AM
    HTTPS request:
    GET / HTTP/1.0
    User-Agent: SSLDiag
    HTTPS: 72 bytes of encrypted data sent
    HTTPS: 339 bytes of encrypted data received
    HTTP/1.1 200 OK
    Server: Microsoft-IIS/5.0
    X-Powered-By: ASP.NET
    Content-Location: https://my_ip_adress/index.html
    Date: Sun, 21 May 2006 17:48:06 GMT
    Content-Type: text/html
    Accept-Ranges: bytesLast-Modified: Fri, 13 Jan 2006 15:31:30 GMT
    ETag: "c88406d5618c61:14d9"
    Content-Length: 447
    HTTPS: 489 bytes of encrypted data received
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "">
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <frameset rows="*" cols="*" frameborder="NO" border="0" framespacing="0">
     <frame src="index.php" name="content">
    <body bgcolor="#FFFFFF" text="#000000">
    HTTPS: server disconnected
    Final handshake: 23 bytes sent successfully
    LVL 30

    Expert Comment

    LVL 30

    Expert Comment

    A side note...these certificates come with some kind of one time re-issuance insurance. What you need to do is to generate a brand new CSR from your server and request another certificate(*.cer) from Globalsign. If they don't agree to re-issue the cert.. you're out of luck.. and need to purchase another one.
    LVL 13

    Expert Comment

    i agree with irwinpks
    remove all certificates and then create a new key and have cert provider provide a re-issue, esp since it looks like they misled you to begin with
    LVL 30

    Expert Comment

    cool. thank you!

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    Suggested Solutions

    What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
    If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now