IIS 7 and Above
SSL certificate is not getting binded with iis https binding on updat...
Last post Jan 22, 2021 06:35 AM by Brucz
Jan 20, 2021 10:50 AM|raunak.omar|LINK
I have installed keyvault extention on vmss having windows server 2019 custom image.
On updating the certificate in keyvault , extension pulls the updated certificate.
But my binding with old certificate in iis , is not getting updated. Weired behavior is if any client tries to access the site using https://localhost , it is being served with the updated certificate.
Jan 20, 2021 05:33 PM|lextm|LINK
It is Windows HTTP API that controls which certificate belongs to a binding,
https://docs.jexusmanager.com/tutorials/https-binding.html#background So you should dig further to see what can explain the observed behaviors.
Jan 21, 2021 05:35 AM|Brucz|LINK
Is the certificate you updated in keyvault added to the server? Does the certificate have a private key?
Due to the timeframe and some other issues, there may be differences in the list of certificates displayed in IIS，which affects the certificates bound to the site in IIS.
To solve this problem, you can manually
import the certificate into IIS.
Export certificate from certificates.msc concole to a certificate.pfx file. Please make sure to export it with a private key and password protect it. Once this is done you can import the certificate in iis by using import option instead of complete
certification request. This keeps the certificate in server certificates console and you can bind the website to the certificate.
Jan 21, 2021 07:18 AM|raunak.omar|LINK
Yes the certificate I updated in keyvault is getting added to server. Yes certificate has the private key.
In iis binding the certificate is not getting updated but when client makes a request to server , it is getting the updated certificate.
I was trying to create an automated pipeline so that if I update my certificate in keyvault , machines should get automatically and no need for redeployment of machines. So manual steps will not be possible in my case.
Do you have any other suggestion or log location where I can look for more debugging.
Jan 21, 2021 07:20 AM|raunak.omar|LINK
I tried checking with netsh command to know what certificate is binded with 443 but it is the old one .
Very confusing then how clients are able to pick updated certificate.
Jan 22, 2021 06:35 AM|Brucz|LINK
I researched key vault and found that it is an extention on Azure, not about IIS.
I tried checking with netsh command to know what certificate is binded with 443 but it is the old one
This shows that the key vault is not fully working and there seems to be a problem with the function.
I suggest you go to the
Azure forum for help.