• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 461
  • Last Modified:

switching SSLs in IIS6

I am hosting a site on a windows 2k3 standard R2 box with iis6.  this site had an SSL through thawte that expires next month, but I don't want to renew it.  I bought a new SSL from Netsol and was able to generate a CSR for it by temporarily removing the existing certificate, generating the CSR, and then putting the original Certificate back.  When the Certificate was validated and issued, I then followed the instructions on this post:  http://thelowedown.wordpress.com/2008/09/11/iis-ssl-certificates-switching-cas/ which shows you how to install a Certificate that does not have a pending request in IIS by doing it command line.  

specifically:  certutil -addstore my <name of cert>

that was successful, and I also installed the Root and Intermediate certificates manually as I usually do in the MMC.  

that was fine as well, and when I selected the certificate in the directory security properties of IIS to assign the new Cert to the website, it looks to work great.  when I view the Certificate in there, it looks fine.  However, it doesn't work when you try to access the domain via https://.  it just acts like there is no cert installed and times out.  I have rebooted the server, restarted IIS, and no change.  When i reselect the old Certificate, that one still works great.  

what can I do to get the new Certificate working (without generating a new CSR)?

0
one2onelanc
Asked:
one2onelanc
  • 3
  • 2
1 Solution
 
Tray896Commented:
Hmmm....yeah that's an odd way of doing things.  What you should have done is generate the new cert on a completely seperate website, then export/import it to the existing site.

Anyways, in this case here is what I would try to do.  Open the Certificates MMC, and locate your new cert under the /Personal store.  Try right clicking and exporting it to a .pfx.  Once you have done that, you can go to your website in IIS, and try replacing the cert that is on there by importing the the .pfx that you just created.
0
 
one2onelancAuthor Commented:
Tried that.  Export as a pfx is greyed out.  i can export as the others, but not pfx.  any other thoughts?
0
 
Tray896Commented:
Then it sounds like when you installed the cert you didn't click the checkbox that says 'mark this key as exportable.'

Honestlly the quick and easy solution to this is just to re-issue your certificate.  All of the 3rd party SSL providers offer this service, and it's free on all of them that I have seen.  To do this you would need to create a whole new CSR.  I would recommend doing that on a seperate site....create a dummy one if you need to for this purpose.  Install the cert to the dummy site (mark it as exportable), export it to pfx, then import it to your production site.
0
 
one2onelancAuthor Commented:
Tray,

your comment got me thinking..  it didn't give me an option to mark it as exportable because it was command line.  but perhaps one of the command lines didn't succeed 100% as I thought.  so, i removed the certificate from the MMC, redid the command lines, reinstalled it, and then selected it for the domain and now it works great.  I guess it actually failed to install 100% the first time I tried.  

I much prefer this method to making dummy sites and re-issuing CSRs (which can take a week to be validated).  So I am very happy it worked.  Thanks!
0
 
one2onelancAuthor Commented:
thanks!
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now