« Previous Next »

• 06-07-2006, 8:34 PM

  qgyen Joined on 06-25-2003, 3:30 PM Elk Grove, CA Posts 2

  iisreset and corrupting SSL private keys Reply Contact Has anyone ever run into an issue where running iisreset seems to corrupt the stored private for an SSL certificate?  I've had this happen to me now on about 5-6 certificates, from self signed ones, to example ones, to my actual live ones. When it happens, you can go to a site with standard non-SSL and it will work fine, but change it to https, and the browser will hang for like 10-15 seconds and then just give up and timeout. I found the SSL Diagnostic utility (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/ssldiags.mspx) and it told me that the private key had been corrupted, but didn't offer anything as far as why or how.  All I had to do to fix it was to delete the key, re-import it, and reassign it in IIS.  But since I also use the key within an ASP.NET application, I have to go in and also go through the pain of granting the ASP/Network Service account read permission to it, which makes it kind of a pain to do whenever it decides to give out. Anybody else encounter this or know anything more on it?  Would like to find an actual solution to it.

• 06-07-2006, 10:46 PM

  In reply to

  Bernard Joined on 05-24-2006, 4:30 AM Malaysia Posts 291	Re: iisreset and corrupting SSL private keys Reply Contact This is weird and something new to me. I have selfssl signed cert on my XP Pro, I didn't encounter the error before. Can you post the ssldiag report here? maybe the MS folks here able to help. Also where do you get the self signed cert? Cheers, Bernard Cheah

• 06-08-2006, 7:33 PM

  In reply to

  David.Wang Joined on 03-01-2004, 3:58 PM Redmond Posts 14

  Re: iisreset and corrupting SSL private keys Reply Contact As described in this blog entry, IISReset can cause loss/change of information in the IIS Metabase, which contains information that tells IIS (as well as SSLDiag) which certificate key store to use. Perhaps that is what is causing your issue. Recreate/Reassign the certificate simply refreshes that information to be consistent again, so it appears to "fix" the issue. My recommendation would be to not use IISReset. If you are on IIS6 or later, then you should never use IISReset and use Application Pool Recycling instead. I always recommend troubleshooting WHY you have to "reset IIS" and resolving that. In short, you should not consider resetting IIS to be "normal" and should avoid it as much as possible. //David //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. //

• 06-08-2006, 8:17 PM

  In reply to

  qgyen Joined on 06-25-2003, 3:30 PM Elk Grove, CA Posts 2

  Re: iisreset and corrupting SSL private keys Reply Contact This was actually on my dev box, running WinXP, so it is just IIS 5.1.  I end up using iisreset occassionally, as sometimes VS fails to build a project because a dll is being locked, or any number of things.  Never use it on a production server, but it is probably more annoying on a dev box because it kind of hinders my ability to actually develop. Thanks for the link to the blog entry though.  Very useful information. :)  Will be sure to pass it along, as I had told a few other people about my troubles and they were curious as to what was going on as well.

• 06-15-2006, 8:42 AM

  In reply to

  codeboy Joined on 06-10-2002, 8:58 PM Wilton, NY Posts 10

  Re: iisreset and corrupting SSL private keys Reply Contact What is the supported / reccomended way of resetting iis for iis6?  I'll occasionally have to do this in order to release the lock an ISAPI dll to deploy a new version.  iisreset is great because i can do this from the command line of my dev box (files are deployed on a dev server separate from the devbox) I can turn off caching isapi but that degrades performance way too much and isn't really reasonable.  The other option is to write a custom extension which will load other extensions and then unload them after a while.  But even still having the ability to bounce iis is important here. Scott Sargent Visit my Blog

• 06-21-2006, 9:16 AM

  In reply to

  tomkmvp Joined on 03-20-2003, 10:27 AM Central NJ Posts 6,078	Re: iisreset and corrupting SSL private keys Reply Contact codeboy: What is the supported / reccomended way of resetting iis for iis6?   See http://support.microsoft.com/kb/286196 Tom Kaminski IIS MVP http://mvp.support.microsoft.com/ http://blogs.iis.net/tomkmvp/ http://www.linkedin.com/pub/8/690/408 http://www.bluesrepublic.org/

• 06-25-2006, 3:23 AM

  In reply to

  David.Wang Joined on 03-01-2004, 3:58 PM Redmond Posts 14

  Re: iisreset and corrupting SSL private keys Reply Contact codeboy: The following blog entry describes the background and process for doing what you want http://blogs.msdn.com/david.wang/archive/2006/01/29/HOWTO_Replace_an_ISAPI_DLL_on_a_Live_Server.aspx I suggest using process recycling on IIS6. //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. //