Windows Server 2008 R2, IIS7. We have an SSL cert from Go Daddy. It's a wildcard cert, so it will work across subdomains (e.g. *.domain.com). I followed the instructions located at http://support.godaddy.com/help/article/4801/installing-an-ssl-certificate-in-microsoft-iis-7 for installing the certificate. I get to the IIS step, where I:
- Click on "Security Certificates" feature when the server is selected in the left pane
- Click on "Complete Certificate Request"
- Navigate to the .crt file on the file system
- Give it a "friendly" name, click finish
The cert gets listed on the main pane now of this "Server Certificates" panel. But, if I refresh the page, or navigate away and come back, it's gone. And the cert is not listed as a viable binding when trying to bind a site to https.
This seems like a pretty straight forward process, but clearly I'm missing something here. Any ideas?
EDIT: I found this post, which seems to imply this behavior happens when you try to use the intermediate certificate. When I downloaded the files from GoDaddy, there were 2 in a zip file. 1 was the gd_iis_intermediates, the other was named for the domain. I installed the domain one (extension .crt). There didn't seem to be any other option - installing the other from IIS gives an error "Cannot find the certificate request that is associated with this certificate file. A certificate request must be completed on the computer where the request was created".
That being said, there doesn't appear to be any other download I can use.
There was also mention, in the comments (and elsewhere after googling) of "exporting" the cert as a pfx, and installing that. But I can't figure out how to export it - even through certmgr.msc.
I should also mention this cert is installed on another computer running IIS6 (this IIS7 installation is meant to be a failover, plus the primary while we upgrade the IIS6 to IIS7). But I can't figure out how to export it from that computer either.
The certificate was not exportable, so I was unable to use Roberts suggestion. Ultimately, I had to rekey the certificate at the Go Daddy account management page, and install it on both servers again. Some of the options during the wizard for the install on IIS6 were grayed out for me, and my initial attempt on that server failed. I ended up installing the certificate on the new server (IIS7), and then exporting that certificate in a .pfx format, and then importing that version into the IIS6 installation. At which point everything started working.
Try exporting the certificate from the IIS6 server using these instructions: http://www.sslshopper.com/move-or-copy-an-ssl-certificate-from-a-windows-server-to-another-windows-server.html
That will ensure that the certificate has a private key.
try importing into Intermediate Certificate Stores. If you view the certificate there, you will find that "you have a private key that corresponds to this certificate". Simply export to .pfx, then import into IIS. Worked for me :)
I've found the problem can be reproduced when the leaf certificate has been installed under Intermediate Certification Authorities. Removing it (and leaving any real intermediate, if applicable) then completing the wizard corrects the problem.
I ran into this issue as well. Rekeying the cert resolved the issue, but the reason was that I was using a UCC cert, and the SARs had been changed AFTER the cert had last been re-keyed. Re-keying the cert again resolved the issue. I spent 2 hours on the phone with a tech there before I found that out <:(
As far as I can tell from having these issues today, if you have a certificate with multiple SANs (or I guess a wildcard) and run multiple servers, you need to rekey in Godaddy every time you install on a different machine.
This is easy enough - generate a CSR (2048 bit encryption), paste it on the Rekey page in Godaddy and you can then download a new cert. There isn't a wait for approval.
I had the same problem today, and fixed it by repairing the key store and providing the serial number of the public certificate. See my answer here or go directly to this link which explains how to repair the key store