I do sometimes wonder why something that worked perfectly well the last time I did it, now doesn’t and has caused me a morning’s worth of worry.

The problem? A simple SSL certificate renewal. Or not so simple, as it turned out.

Usually, we don’t do certificate renewals, because IIS6 seems to have a problem, meaning it doesn’t work properly. Instead, we use a temporary site to generate a CSR, which we then use to generate our new certificate. Once we have the cert, we finish off the outstanding certificate request.

From there, we export it from certificate manager, and import it to where it is needed, usually by double clicking on the pfx file and running through the on screen prompts.

Next we do a simple certificate replace on our three webservers within our cluster.

The problem is, is that during the export from our original server, the private key got munched somehow, which we didn’t know, so once we deployed the cert on our live servers, the site broke quite badly. Despite the broken certificate, it

I was able to find the problem after I installed and ran Microsoft’s SSL Diagnostic tool, which I’d highly recommend if you find yourself in a similar position.

I fixed it in a roundabout way, though I’m not completely sure why it worked.

First, I went back to the server where the original CSR was generated. I then went to the temporary site, and exported the cert using IIS6, and not the certificate management console.

I then copied the resulting PFX file to the destination, and instead of double clicking to import, I opened up certificate manager, selected my certificate store, then right clicked on the store, and selected the ‘Import’ option instead.

Once imported, I did a simple SSL cert replace on the problem site and all was well again.

I’m frustrated that the original method used to work, and that it now, seemingly, doesn’t, but at least having had this happen, if it does happen again, I won’t be so much in the dark.

« »