problem to install a new ssl serversign bacause the old has expired

Posted on 2006-05-21
Medium Priority
Last Modified: 2008-01-09

Actually my Serversign certificate for my domain has expired.
But I already asked a couple of week a new one. The company Globalsign suggested to me a new one and not a renewal of the old one because I should have to migrate my web site to another webserver (with another ip adress).
Then I received the new one (a file called cert_1112.pem).
I installed it as suggested by renaming it cert_1112.crt and clicked on the button 'install certificate'. I thought everything was ok because I received the message 'The import was succesfull' BUT in fact nothing happened.

In fact, we decide to not migrate from one server to another and stay on the actual server. And then my certificate has of course expired.

If I'm trying to install it trough the IIS panel and the 'web server certificate wizard', the only choice is 'Prepare the request now ,but send it later'. But the request was already done as explained above but not from this wizard.
Then what I have to do now ? It's very urgent!!!
Question by:yougy
  • 5
  • 3
LVL 30

Accepted Solution

Irwin Santos earned 2000 total points
ID: 16728725
Remove the original certificate 1st... restart server..install new certificate.


Turn your "new" certificate in for a renewal instead and apply that update.

Author Comment

ID: 16728810
I already remomed it, restarted the web server but it'as all the time the same choice with the 'web server certificate wizard'
- Create a new certificate (en then 'prepare the request now, but send it later' suggestion)
- assign an existing certificate (with the expired certificate)
- import a certtificate from a key manager backup file

Your second solution is not working. I renamed the new one with the cer extension and it's not accepted

LVL 30

Expert Comment

by:Irwin Santos
ID: 16728823
Download and use the SSLDIAG tool from Microsoft.  It should help you reveal what's going on with the current SSL cert, versus the installation. Post your results.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 16729042
Here is the log from ssldiag tool

System time: Sun, 21 May 2006 15:58:31 GMT
ModuleFileName: C:\Program Files\IIS Resources\SSLDiag\SSLDiag.exe
OS: Windows 2000 Service Pack 4
IIS5 - World Wide Web Publishing (W3SVC) service is installed

[ HKLM\System\CurrentControlSet\Services\InetInfo\Parameters ]
CertChainCacheOnlyUrlRetrieval = True(default)
CheckCertRevocation = False(default)
CertChainCheckUsage = False(default)
sspifilt.dll loaded into process 1312 (inetinfo.exe)

[ SChannel Info ]
CacheSize = 10000
Entries = 1
ActiveEntries = 1

[ W3SVC/1 ]
ServerComment = Default Web Site
ServerAutoStart = True
ServerState = Server started
SslCtlStoreName = CA
SslCtlIdentifier = {6CBDBCB6-44AC-4B10-9BD0-714C24CCE303}
#Could not impersonate server account
SSLCertHash = 4b 35 8c 58 83 0c ed fc 8b ff ac bd 8b b1 47 f7 ab e4 4e ca
SSLStoreName = MY
#CertName = www.xxx.com
#You have a private key that corresponds to this certificate
#ProvName='Microsoft RSA SChannel Cryptographic Provider' ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE
#Subject: C=BE, S=Brussels, L=Brussels, O=xxx sprl, OU=XXX sprl, CN=www.xxx.com
#Issuer: C=BE, O=GlobalSign nv-sa, OU=ServerSign CA, CN=GlobalSign ServerSign CA
#Validity: From 5/20/2005 8:37:40 AM To 5/20/2006 8:37:40 AM
SecureBindings =

[ W3SVC/1/CTL ]
Cert count = 1
Cert_1 = GlobalSign Root CA

[ W3SVC/1/Root ]
AccessSSLFlags = 0 (0x0)

Author Comment

ID: 16729364
When I simulate a SSL handshake with this tool, here is the result :

System time: Sun, 21 May 2006 17:47:51 GMT
Connecting to my_ip_adress:443
Handshake: 78 bytes sent
Handshake: 2973 bytes received
Handshake: 118 bytes sent
Handshake: 43 bytes received
Handshake succeeded
Verifying server certificate, it might take a while...
#WARNING:Error 0x800b0101 : The server certificate is expired
#WARNING:Error 0x80092013
Server certificate name: www.xxx.com
Server certificate subject: C=BE, S=Brussels, L=Brussels, O=xxx sprl, OU=xxx sprl, CN=www.xxx.com
Server certificate issuer: C=BE, O=GlobalSign nv-sa, OU=ServerSign CA, CN=GlobalSign ServerSign CA
Server certificate validity: From 5/20/2005 8:37:40 AM To 5/20/2006 8:37:40 AM
HTTPS request:
GET / HTTP/1.0
User-Agent: SSLDiag
HTTPS: 72 bytes of encrypted data sent
HTTPS: 339 bytes of encrypted data received
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-Powered-By: ASP.NET
Content-Location: https://my_ip_adress/index.html
Date: Sun, 21 May 2006 17:48:06 GMT
Content-Type: text/html
Accept-Ranges: bytesLast-Modified: Fri, 13 Jan 2006 15:31:30 GMT
ETag: "c88406d5618c61:14d9"
Content-Length: 447
HTTPS: 489 bytes of encrypted data received
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<frameset rows="*" cols="*" frameborder="NO" border="0" framespacing="0">
 <frame src="index.php" name="content">
<body bgcolor="#FFFFFF" text="#000000">
HTTPS: server disconnected
Final handshake: 23 bytes sent successfully
LVL 30

Expert Comment

by:Irwin Santos
ID: 16730653
LVL 30

Expert Comment

by:Irwin Santos
ID: 16730657
A side note...these certificates come with some kind of one time re-issuance insurance. What you need to do is to generate a brand new CSR from your server and request another certificate(*.cer) from Globalsign. If they don't agree to re-issue the cert.. you're out of luck.. and need to purchase another one.
LVL 13

Expert Comment

ID: 16735703
i agree with irwinpks
remove all certificates and then create a new key and have cert provider provide a re-issue, esp since it looks like they misled you to begin with
LVL 30

Expert Comment

by:Irwin Santos
ID: 16736309
cool. thank you!

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) (http://technet.microsoft.com/en-us/library/cc758834(WS.10).aspx) is a much better solution when you need to p…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question