We help IT Professionals succeed at work.

Problem in binding SSL cert to 2012 WServer.

Jon Davidson
Jon Davidson asked
Binding new SSL certificate to WServer 2012 problem.
I built the request per:
https://www.digicert.com/util/csr-creation-microsoft-servers-using-digicert-utility.htm.  Handed the request off to our infrastructure team where they purchased the new SSL.  The Team has sent me the new SSL certificates where I renamed appropriately from a .txt extension to a .cer externsion.

I have two test servers (and two prod servers)I need to update the SSL certificates for.   I have followed the steps outlined in this document for installing the SSL certificate:

I can see on the server IIS where the certificate has been updated to 10/9/2020 in the Server Certificates; however, if I look under the padlock on the client's URL, the expiry date is still set for:  10/24/2018.  How do I propagate this out to the client?  This is the first time I've done this, and I have four 2012 servers to update ASAP.  Any guidance would be appreciated.
Watch Question

Have you validated from an SSL checker rather than the clients internet program?


What does the response say here.
Jon DavidsonDeveloper/Nuclear Utility


The SSL test failed, "Unable to connect."

Are the systems behind a load balancer and has the pfx been loaded to them?

*** Edit ***  I'm assuming it failed as they are internal sites and not externally facing
Jon DavidsonDeveloper/Nuclear Utility


That assumption is correct.   After that failed test, I went to IIS  and clicked on the server in the left pane and double-clicked the server certificates and under the Action pane, I clicked on Create Certificate Request and created a csr file, and documented with screen shots every step I took.   I am doing this again to make sure
1.  Ensure the common name I used can be pinged.
2.  Wanted to make sure I was using the server software and not a downloaded digicert application.  
I don't have any experience doing this, so I am just trying to eliminate any place I could be making a mistake.   I am currently waiting on the new SSL certs for production and test.

I'll be fair in that I've only had to deal with this a few times.  The portions that got me were not having the load balancer updated with the pfx exported from the server.  The second was after I installed it in the main IIS panel I didn't set the port binding on the webpage correctly.

Is it possible when you did the port binding the certificate you selected was the old one and not the new?  If they have the same domain name then the drop down will list both of them.  Use view to see the certificate details for the right one.ssl-pic.PNG
Jon DavidsonDeveloper/Nuclear Utility


This website has not configured this form in the past.  I went to the production server, and the "Add Site Binding" app has not been used to configure the connection.
Something new I found.   Looking at the MMC
Console Root

The SSL cert I am trying to install, in the properties does NOT have the text:  
"You have a private key that corresponds to this certificate."  

  I need to install the cert with a private key.   This is a requirement of any single socket layer certificate.   I have been able to do as much, though it is NOT straightforward.
PROBLEM:   When I reboot the server, and I access the site remotely (inward facing server on large network), the dates for the View Certificate in the URL are NOT updating.  I could really use some help.   I've tried everything short of a registry hack.  
Surely someone has had this issue in the past with an SSL cert.  This does not run in the IIS.   It is powered by Apache Tomcat 7.0.
Developer/Nuclear Utility
Problem solved.   https://www.digicert.com/csr-ssl-installation/apache-openssl.htm

Problem solved.   https://www.digicert.com/csr-ssl-installation/apache-openssl.htm
Who would have known you are required to M-A-N-U-A-L-L-Y edit an httpd.conf file?   Bet I never forget that again!  Cheers!
    DocumentRoot /var/www/html2
    ServerName www.yourdomain.com
        SSLEngine on
        SSLCertificateFile /path/to/your_domain_name.crt
        SSLCertificateKeyFile /path/to/your_private.key
        SSLCertificateChainFile /path/to/DigiCertCA.crt