I have a working IIS 8.0 server (on Windows Server 2012) that has a working SSL installation. The certificate is due to expire in a few days, so I am trying to renew it.
When I try to create a renewal request in the IIS Manager, it fails when clicking Finish
with the following:
---------------------------
Renew an Existing Certificate
---------------------------
There was an error while performing this operation.
Details:
Object reference not set to an instance of an object.
---------------------------
OK
---------------------------
When I try to do it through the Certificates snap-in in MMC, I find I don't have the option to renew in the context menu. I believe both of these issues are due to the certificate being located in the WebHosting
(Web Hosting
) certificate store.
How do I create a renewal request in this circumstance?
Thanks!
OK, well, it turns out, "renewing" was not what I wanted, although you would think it was. Looking at https://www.geocerts.com/csr/iis_renew_7 told me that I just wanted to issue a new request, not do a renewal.
I tried moving the cert to
Personal
, which let me issue a renewal request, but the CA (Network Solutions in this case) didn't like that request. They were fine with the new request though. So it all worked out from that in the end.I came across the same problem, and ended up creating a new request instead of "renewing." Apparently there is a way to fix the Renew functionality though - see https://blogs.msdn.microsoft.com/sroun/2014/07/25/fixing-object-reference-not-set-to-an-instance-of-an-object-when-using-shared-configuration-in-iis8-x/
I would like to add information about this situation.
What I have found is that the error posted happens when the current certificate for "Create a renewal certificate request" is in the "Web Hosting" store instead of the local computer "Personal" store.
Also, if a renew certificate was created without creating a renewal certificate request, just by renewing it in the original authority server and by importing it using the IIS option "Renew Certificate", selecting "Complete certificate renewal request" and by choosing again the "Web Hosting" store, the renewed certificate get imported but without any association with the private key, so it is not showed in IIS and cannot be bind. But, if the same option is used and the "Personal" store is selected instead of the "Web Hosting" store, then the private key is associated with the renewed certificate.
By the way, doing that lose the friendly name and I believe that the IIS automatic binding of renewed certificates wont work because original certificates binds were not using the same store.
So, a manual IIS Certificates rebind must be done at least the first time the renewed certificates get imported into the local computer "Personal" store. Hope that following renewed certificates would be automatically bind.
The reference fix about "fixing-object-reference-not-set-to-an-instance-of-an-object-when-using-shared-configuration-in-iis8-x" does not address this situation.
My final thought is why IIS offers importing certificates into the "Web Hosting" store if it is not fully supported. I believe that this is just a bug never reported/identified to Microsoft. Web Hosting store was introduced with IIS 8 for dynamic certificates loading into memory instead of a bulk certificates load as with the local computer Personal store.
My server is a Windows 2019 server with IIS 10.