• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1640
  • Last Modified:

IIS8 SSL Centralized Certificates using wrong certificates

Server is windows 2012 Standard with IIS8.

We are trying to use the central certificate store for SSL certificates.

Initially we had 1 site (site1.com) with a SSL cert, and in the bindings we selected the certificate, we were not using CCS. This worked fine.

We put a second site (site2.com) on the server that would need SSL. So I generated the cert for this site, and then created .pfx certificates from the server for both websites.

I put both certificates in a file share, gave access to the web service account, and configured CCS settings to go to the file share, use the account to login, and with the Certificate Private Key Password.

When I open the Centralized Certificates on the web server both certificates were listed.

All the appropriate information shows up in the other columns.

I then switched the binding on both sites to have require Server Name Indication, and Use Centralized Certificate Store.

Site 1 has
https     site1.com     443     *

Site 2 had
Https     site2.com    443      *
Https   www.site2.com     443    *

Once this was done Site2 would come up fine on though HTTPS. Site1 would come up and have a name mismatch and when you looked at the certificate it would say it was using Stie2's certificate.

I tried removing Server Name Indication, same result.

I tried restarting the IIS server, and rebooting the server entirely. Same result.

I then deleted the site2 certificates from the CCS file share, and in the server certificate manager. Rebooted.
In CCS configuration Site2 certificate is gone.

Site1 still shows the name error. I am not sure how its even still using site2's certificate.

If I switch the https binding for site1.com, and remove the Use Centralized Certificate store option, and select the SSL certificate directly it works fine.

If I turn CCS back on, with or without SNI, I get the name mismatch and it shows as using site2's certificate.

I'm looking to get this running so I can have multiple SSL/Https sites running on this server, and I'm not sure where I went wrong, or how its still using a cert I deleted.
  • 4
1 Solution
hennesseyjAuthor Commented:
Even better.
When I run DigiCert® SSL Installation Diagnostics Tool

site1.com gets Certificate does not match name

sub1.site1.com gets all green and shows the correct name.
David Johnson, CD, MVPOwnerCommented:
what is the common name of the certificate?

site1.com ? *.site1.com sub1.site.com?
hennesseyjAuthor Commented:
Friendly Name: site1.com
Subject Alternative Name: *.site1.com,site1.com

In CCS it shows
Filename:  _.site.com.pfx
Name: Site1.com
Issued to: CN=*site1.com

On the Https binding for Site1 I have
Host Name: site.com
Require SNI

On the Https bindings for sub1.site1 I have
Host Name: sub1.site1.com
Require SNI
hennesseyjAuthor Commented:
copying the _site1.com.pfx to site1.com.pfx and having both in the CCS file store seems to have fixed the problem.

In CCS it shows the following
File Name              |  Name                   |  Issued To
_site1.com.pfx           site1.com                CN=*.site1.com
site1.com.pfx             site1.com                CN=*.site1.com
site2.com.pfx                                            CN=site2.com
www.site2.com.pfx                                   CN=site2.com

All of the sites load without errors, and the DigiCert® SSL Installation Diagnostics Tool shows all the information correctly.

If I remove the site1.com.pfx file, I get an error saying there is no SSL cert. When I put it back it again verifies correctly.

I found no direct reason that site1.com was trying to use Stie2/com SSL cert, but that particular issue seems to have cleared. Either through time, or the correct application of the site1.com.pfx file.
hennesseyjAuthor Commented:
I was able to experiment with the server till I found a solution that fixed my problem.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now