IIS 5 & IIS 6
Help needed! SSL certificate replaced, but site delivers old one stil...
Last post Jan 07, 2009 03:05 AM by JaroDunajsky
Dec 29, 2008 06:56 AM|Synocus|LINK
Dec 29, 2008 07:47 AM|Paul Lynch|LINK
Have you completely removed the old certificate from the Local machine certificate store on your server ? If it is removed from there then there's no way IIS can still be using the old certificate. You can also try clearing the SSL state from your browser
if you are using IE.
How to troubleshoot problems accessing secure Web pages with Internet Explorer 6 Service Pack 2
And you could also try running SSLDiag if you are still unable to resolve the issue.
SSL Diagnostics Version 1.1 (x86)
Dec 29, 2008 08:19 AM|Synocus|LINK
Dec 29, 2008 10:50 AM|Paul Lynch|LINK
It sounds as though Sharepoint is still using the old certificate so you may have to configure the new certificate for use within Sharepoint itself.
Dec 30, 2008 06:04 AM|Synocus|LINK
Dec 30, 2008 06:40 AM|Paul Lynch|LINK
MOSS 2007 should always use the certificate specified in IIS. I tried removing the old certificate from the local computer's personal certificate store. It didn't affect the site. The secure site still uses the old certificate despite the removal.
That would suggest that maybe MOSS is caching the certificate internally, or maybe you've found a bug in MOSS, I'm not 100% sure.
I haven't got any experience of using SSL with MOSS but I would approach this issue by removing the SSL setting from the MOSS site, then removing the old certificate from the server and then re-enabling the SSL requirement on the MOSS site and specifying
the new certificate.
In the meantime I'm off to research how MOSS handles SSL certificates because what you are describing suggests that MOSS is keeping its own internal reference to the SSL cert as opposed to relying on the local machine store.
Dec 30, 2008 06:54 AM|Synocus|LINK
Dec 30, 2008 06:58 AM|Paul Lynch|LINK
OK, it looks like it isn't a bug but is actually expected behaviour as explained here :
However, you may want to ask this question over in the Sharepoint forums to get further clarification of the issue :
Dec 30, 2008 08:19 AM|Synocus|LINK
Dec 30, 2008 11:03 AM|Paul Lynch|LINK
You're welcome. Please let us know what advice you get from the Sharepoint experts - I'm actually genuinely interested in finding out what's happening here.
Dec 30, 2008 05:55 PM|JaroDunajsky|LINK
I don't see how Sharepoint would affect the SSL handling. What version of IIS are you using? I assume it is IIS 6.0.
Do you by any chance have enabled kernel mode SSL for the IIS 6 (introduced in Win 2003 SP1?). My recollection is that kernel mode SSL on Win2003 doesn't handled change notifications for certificates (beside other limitations). For more details see the following
Dec 31, 2008 03:51 AM|Synocus|LINK
Dec 31, 2008 06:26 AM|Paul Lynch|LINK
Having re-read Joel Olson's blog post I think that my understanding of the process is incorrect - I think Sharepoint only stores the fact that a site is SSL enabled - it doesn't appear to know anything about the certificate in use, which makes more sense
You say that you have re-started IIS and it hasn't made any difference, so assuming that you haven't already re-booted the machine at this point I would suggest doing the following :
1. Issue an iisreset /stop command
2. Then type net stop http followed by net start http
3. Issue an iisreset /start command
Now, try browsing to your Sharepoint site over SSL and see what happens.
If you still get the old cert then my only other suggestions would be that maybe you have got more than one front-end web server in your Sharepoint farm (with the old certificate installed on your other server) or that maybe there is a hardware SSL accelerator
on your network with the old cert installed on it. I don't know what else to suggest, I've never seen anything like this before.
Jan 06, 2009 04:29 AM|Synocus|LINK
Jan 06, 2009 07:40 AM|qbernard|LINK
do you have HTTPS service running?
I forgot, I recalled in IIS 7 - we can net stop https ? only require to recycle the HTTPS service
Jan 07, 2009 02:09 AM|Synocus|LINK
Jan 07, 2009 03:05 AM|JaroDunajsky|LINK
He has kernel mode SSL enabled so recycling httpssl service wouldn't help