IIS8 SSL Centralized Certificates using wrong certificates

Server is windows 2012 Standard with IIS8.

We are trying to use the central certificate store for SSL certificates.

Initially we had 1 site (site1.com) with a SSL cert, and in the bindings we selected the certificate, we were not using CCS. This worked fine.

We put a second site (site2.com) on the server that would need SSL. So I generated the cert for this site, and then created .pfx certificates from the server for both websites.

I put both certificates in a file share, gave access to the web service account, and configured CCS settings to go to the file share, use the account to login, and with the Certificate Private Key Password.

When I open the Centralized Certificates on the web server both certificates were listed.
_.site1.com.pfx
site2.com.pfx
www.site2.com.pfx

All the appropriate information shows up in the other columns.

I then switched the binding on both sites to have require Server Name Indication, and Use Centralized Certificate Store.

Site 1 has
https     site1.com     443     *

Site 2 had
Https     site2.com    443      *
Https   www.site2.com     443    *

Once this was done Site2 would come up fine on though HTTPS. Site1 would come up and have a name mismatch and when you looked at the certificate it would say it was using Stie2's certificate.

I tried removing Server Name Indication, same result.

I tried restarting the IIS server, and rebooting the server entirely. Same result.

I then deleted the site2 certificates from the CCS file share, and in the server certificate manager. Rebooted.
In CCS configuration Site2 certificate is gone.

Site1 still shows the name error. I am not sure how its even still using site2's certificate.

If I switch the https binding for site1.com, and remove the Use Centralized Certificate store option, and select the SSL certificate directly it works fine.

If I turn CCS back on, with or without SNI, I get the name mismatch and it shows as using site2's certificate.

I'm looking to get this running so I can have multiple SSL/Https sites running on this server, and I'm not sure where I went wrong, or how its still using a cert I deleted.
hennesseyjAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

hennesseyjAuthor Commented:
Even better.
When I run DigiCert® SSL Installation Diagnostics Tool

site1.com gets Certificate does not match name

sub1.site1.com gets all green and shows the correct name.
0
David Johnson, CD, MVPOwnerCommented:
what is the common name of the certificate?

site1.com ? *.site1.com sub1.site.com?
0
hennesseyjAuthor Commented:
Friendly Name: site1.com
Subject Alternative Name: *.site1.com,site1.com

In CCS it shows
Filename:  _.site.com.pfx
Name: Site1.com
Issued to: CN=*site1.com

On the Https binding for Site1 I have
Host Name: site.com
Require SNI
Use CCS

On the Https bindings for sub1.site1 I have
Host Name: sub1.site1.com
Require SNI
Use CCS
0
hennesseyjAuthor Commented:
copying the _site1.com.pfx to site1.com.pfx and having both in the CCS file store seems to have fixed the problem.

In CCS it shows the following
File Name              |  Name                   |  Issued To
_site1.com.pfx           site1.com                CN=*.site1.com
site1.com.pfx             site1.com                CN=*.site1.com
site2.com.pfx                                            CN=site2.com
www.site2.com.pfx                                   CN=site2.com


All of the sites load without errors, and the DigiCert® SSL Installation Diagnostics Tool shows all the information correctly.

If I remove the site1.com.pfx file, I get an error saying there is no SSL cert. When I put it back it again verifies correctly.

I found no direct reason that site1.com was trying to use Stie2/com SSL cert, but that particular issue seems to have cleared. Either through time, or the correct application of the site1.com.pfx file.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hennesseyjAuthor Commented:
I was able to experiment with the server till I found a solution that fixed my problem.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.