Windows Server 2008 R2, IIS7. We have an SSL cert from Go Daddy. It's a wildcard cert, so it will work across subdomains (e.g. *.domain.com). I followed the instructions located at http://help.godaddy.com/topic/742/article/4801 for installing the certificate. I get to the IIS step, where I:
- Click on "Security Certificates" feature when the server is selected in the left pane
- Click on "Complete Certificate Request"
- Navigate to the .crt file on the file system
- Give it a "friendly" name, click finish
The cert gets listed on the main pane now of this "Server Certificates" panel. But, if I refresh the page, or navigate away and come back, it's gone. And the cert is not listed as a viable binding when trying to bind a site to https.
This seems like a pretty straight forward process, but clearly I'm missing something here. Any ideas?
EDIT: I found this post, which seems to imply this behavior happens when you try to use the intermediate certificate. When I downloaded the files from GoDaddy, there were 2 in a zip file. 1 was the gd_iis_intermediates, the other was named for the domain. I installed the domain one (extension .crt). There didn't seem to be any other option - installing the other from IIS gives an error "Cannot find the certificate request that is associated with this certificate file. A certificate request must be completed on the computer where the request was created".
That being said, there doesn't appear to be any other download I can use.
There was also mention, in the comments (and elsewhere after googling) of "exporting" the cert as a pfx, and installing that. But I can't figure out how to export it - even through certmgr.msc.
I should also mention this cert is installed on another computer running IIS6 (this IIS7 installation is meant to be a failover, plus the primary while we upgrade the IIS6 to IIS7). But I can't figure out how to export it from that computer either.
-
Try exporting the certificate from the IIS6 server using these instructions: http://www.sslshopper.com/move-or-copy-an-ssl-certificate-from-a-windows-server-to-another-windows-server.html
That will ensure that the certificate has a private key.
Matt : The option to export the private key is grayed out, saying it was marked as "unexportable"Matt : Come to think of it, the fact it was marked as unexportable is probably why this certificate didn't get migrated over during the msdeploy migration of the server ... hmmRobert : If you aren't able to find a server where the certificate is exportable, you will need to generate a new CSR and have GoDaddy reissue/re-key it to get a new matching certificate.From Robert -
I'm in the same situation but this is first time we went with Go Daddy and we don't have an existing certificate to export.
Any help appreciated as we are stuck.
From West -
The certificate was not exportable, so I was unable to use Roberts suggestion. Ultimately, I had to rekey the certificate at the Go Daddy account management page, and install it on both servers again. Some of the options during the wizard for the install on IIS6 were grayed out for me, and my initial attempt on that server failed. I ended up installing the certificate on the new server (IIS7), and then exporting that certificate in a .pfx format, and then importing that version into the IIS6 installation. At which point everything started working.
From Matt -
I've found the problem can be reproduced when the leaf certificate has been installed under Intermediate Certification Authorities. Removing it (and leaving any real intermediate, if applicable) then completing the wizard corrects the problem.
From Ryan Fox -
I ran into this issue as well. Rekeying the cert resolved the issue, but the reason was that I was using a UCC cert, and the SARs had been changed AFTER the cert had last been re-keyed. Re-keying the cert again resolved the issue. I spent 2 hours on the phone with a tech there before I found that out <:(
From rotard
0 comments:
Post a Comment