Why does IIS continue to show an old certificate?

On one of our servers, we have a number of sites which share an IP and SSL using a wildcard (sitename.encryptedsecure2.com), with the SSL cert common name *.encryptedsecure2.com.  This has worked very well for years.

Every year I renew our SSL certificate.  Typically a very simple process to generate the renewal and then process it through godaddy.

This year, godaddy is no longer generating 1024bit certs, and I couldn't change the big depth during the renewal, so I generated a new certificate instead.  All the information (except for bit depth) was the same as the previous cert.

When I look at the certificate properties from the IIS admin (view certificate) it has the correct date expiring in 2010, however, whenever I browse to the page, I get the old cert instead (2009).

The 2009 cert is expiring in 1 day..  

We have also tried:
- rebooting
- changing the SSL cache timeout to 2 minutes (http://technet.microsoft.com/en-us/library/cc781248(WS.10).aspx)
- verified that the certificate checksum is the same between IIS properties (view certificate) and the certificate store (personal)
- loading in the new godaddy intermediates, etc (http://help.godaddy.com/article/4875)

However, it continues to only use the 2009 cert.  If I delete the 2009 cert, the sites break and I can't get them going again with a new cert.

It's like something is preventing IIS from using the new certs, and hanging onto the old cert, but I can't figure out what.  Help!
modernearth2Asked:
Who is Participating?
 
modernearth2Connect With a Mentor Author Commented:
Hi - ok, we figured it out.

We are using a wildcard cert, and have multiple sites sharing the IP address.

We needed to STOP all the sites and then start them again.

My guess - the host headers are encrypted and need to be decrypted before IIS can determine what site to send the visitor to, and was therefore using one of the old certificates which was assigned to one of the other sites which still had the old cert.

Stopping all sites and then restarted them all cleared it.  (Had tried multiple IIS restarts which didn't work, but this does).

Thanks to everyone for assistance.
0
 
James MurrellProduct SpecialistCommented:
Have you completely removed the old certificate from the Local machine certificate store on your server ? If it is removed from there then there's no way IIS can still be using the old certificate. You can also try clearing the SSL state from your browser if you are using IE.
0
 
farazhkhanCommented:
Hi,

Have you completely removed the old certificate from the Local machine certificate store on your server ? If it is removed from there then there's no way IIS can still be using the old certificate. You can also try clearing the SSL state from your browser if you are using IE.

How to troubleshoot problems accessing secure Web pages with Internet Explorer 6 Service Pack 2: http://support.microsoft.com/kb/870700

And you could also try running SSLDiag if you are still unable to resolve the issue.

SSL Diagnostics Version 1.1 (x86): http://www.microsoft.com/downloads/details.aspx?familyid=cabea1d0-5a10-41bc-83d4-06c814265282&displaylang=en

Courtesy: http://forums.iis.net/t/1154007.aspx

Regards,
Faraz H. Khan
0
 
modernearth2Author Commented:
Yes, I tried removinng the cert (after I exported it as a backup).

Browsers would then get an error accessing the page - it still wasn't using the cert which it says was attached.

Remember - IIS "view certificate" shows the right certificate, but doesn't actualy send the right cert to browsers.  I have compeltley reset the cert states on browsers (as well as using multiple browsers/pc's)..
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.