Disappearing SSL certificates from IIS 7.0 manager

Disappearing SSL certificates from IIS 7.0 manager

  • Comments 14

“I install a SSL server certificate using the ‘Complete Certificate Request’ wizard in IIS manager and when I refresh the view the certificate disappears. “

I have heard that a couple of times and every time I used to go “What ?” Until someone showed it to me.

If you are one of those who are wondering about this read on.

The Server Certificates module in IIS manager displays a list of certificates from the Local Machine SSL store.

But it only lists the certificate if

1. The certificate has a private key

2. The certificate is meant for Server Authentication

And this is where the disappearing act occurs.

The IIS Manager enumerates all the extensions of the certificate and checks if OID 2.5.29.37 (Extended Key Usage) exists. If it does the certificate Enhanced Key Usage section must contain 1.3.6.1.5.5.7.3.1  (Server Authentication).

In the repro’ I was shown the user had actually downloaded the intermediate certificate and used that .cer file to complete the certificate request. In this case the wizard will go thro’ all the steps but when you refresh the view the certificate will not be listed.

Bookmark and Share

Leave a Comment
  • Please add 5 and 2 and type the answer here:
  • Post
  • PingBack from http://microsoft-sharepoint.simplynetdev.com/disappearing-ssl-certificates-from-iis-70-manager/

  • Hi there, I had the same issue as mentioned in your post. I have found a solution whereby you need to export certificate from certificates.msc concole to a certificate.pfx file. Please make sure to export it with a private key and password protect it. Once this is done you can import the certificate in iis by using import option instead of complete certification request. This keeps the certificate in server certificates console and you can bind the website to the certificate.

    Regards,

    Pawel

  • when i try exporting my cer file as pfx in the mmc, the pfx option is greyed out :( anyone else had this problem?

  • I had the same problem. Once I had the cert re-issued with a new request key it worked.

  • I've found the problem can be reproduced when the leaf certificate has been installed under Intermediate Certification Authorities.  Removing it (and leaving any real intermediate, if applicable) then completing the wizard corrects the problem.

  • I had the same problem.  I was missing the private key in my certificate.  I wrote instructions on how to resolve this issue here: nickstips.wordpress.com/.../iis-disappearing-ssl-certificate-problem-resolved

  • My solution was found by changing the files I had to a .pfx file and importing it, go to the following: nickstips.wordpress.com/.../sql-ssl-and-sql-server-2008-creating-the-certificate

  • OR it could be the cert (Network solutions is notorious for this as they charge $150 for helping to install it) doesn't actually have a privatge key.  Here are instructions to make the PFX if you have no private key.

    To fix this, use the MMC snapin to import the cert into PERSONAL, click it and grab the serial # line.  Go to dos, run certutil -repairstore my "paste the serial 3 in here" (you need the quotes) then refresh MMC with personal certs, right click it - export - select everything except DELETE PRIVATE KEY, hit ok.  Then go to IIS and IMPORT cert instead of finish request.  

    bingo - fixed.

    And bite me netsol.

  • You are the best, pixelloa!

    And I second your statement about netsol

  • pixelloa, your suggestion worked.

    Nice one, thanks.

  • Hello pixelloa

    can you please tell me that how can i use certutil -repairstore?

    Thanks,

    Parikh

  • If anyone is still watching this thread... I came across this with a digicert cert as well. What I did was import it anyway into IIS. After adding it, but before it disappeared I right-clicked and selected view on the cert, went to the Details tab, and selected copy to file. Selected to export the private key, and assigned a password. Then I refreshed (cert was gone) and re-imported the now .pfx cert and entered the password.

    Worked like a charm.

    1. Import cert anyway

    2. Right-click > View

    3. Details tab > Copy to File

    4. Export PK, assign password, export as .pfx

    5. Import new .pfx

  • I found that this happened on one of our WFEs for Sharepoint. The two WFEs load-balanced the same name but I'd only submitted a certificate request from one of the WFEs for that common name. You have to do two separate ones (one from each server) and submit them - so even though both are referred to by the same DNS name, the requests are distinctly different. Once done, you can add each individual certificate to IIS and the problem disappears (rather than your certificates!)

  • Thanks to pixelloa for the path forward to solving this rather obtuse problem.

Page 1 of 1 (14 items)