次の方法で共有


Disappearing SSL certificates from IIS 7.0 manager

“I install a SSL server certificate using the ‘Complete Certificate Request’ wizard in IIS manager and when I refresh the view the certificate disappears. “

I have heard that a couple of times and every time I used to go “What ?” Until someone showed it to me.

If you are one of those who are wondering about this read on.

The Server Certificates module in IIS manager displays a list of certificates from the Local Machine SSL store.

But it only lists the certificate if

1. The certificate has a private key

2. The certificate is meant for Server Authentication

And this is where the disappearing act occurs.

The IIS Manager enumerates all the extensions of the certificate and checks if OID 2.5.29.37 (Extended Key Usage) exists. If it does the certificate Enhanced Key Usage section must contain 1.3.6.1.5.5.7.3.1  (Server Authentication).

In the repro’ I was shown the user had actually downloaded the intermediate certificate and used that .cer file to complete the certificate request. In this case the wizard will go thro’ all the steps but when you refresh the view the certificate will not be listed.

Bookmark and Share

Comments

  • Anonymous
    May 22, 2009
    PingBack from http://microsoft-sharepoint.simplynetdev.com/disappearing-ssl-certificates-from-iis-70-manager/

  • Anonymous
    November 21, 2009
    Hi there, I had the same issue as mentioned in your post. I have found a solution whereby you need to export certificate from certificates.msc concole to a certificate.pfx file. Please make sure to export it with a private key and password protect it. Once this is done you can import the certificate in iis by using import option instead of complete certification request. This keeps the certificate in server certificates console and you can bind the website to the certificate. Regards, Pawel

  • Anonymous
    November 22, 2009
    when i try exporting my cer file as pfx in the mmc, the pfx option is greyed out :( anyone else had this problem?

  • Anonymous
    March 24, 2010
    I had the same problem. Once I had the cert re-issued with a new request key it worked.

  • Anonymous
    July 30, 2010
    I've found the problem can be reproduced when the leaf certificate has been installed under Intermediate Certification Authorities.  Removing it (and leaving any real intermediate, if applicable) then completing the wizard corrects the problem.

  • Anonymous
    September 08, 2010
    I had the same problem.  I was missing the private key in my certificate.  I wrote instructions on how to resolve this issue here: nickstips.wordpress.com/.../iis-disappearing-ssl-certificate-problem-resolved

  • Anonymous
    May 16, 2011
    My solution was found by changing the files I had to a .pfx file and importing it, go to the following: nickstips.wordpress.com/.../sql-ssl-and-sql-server-2008-creating-the-certificate

  • Anonymous
    September 18, 2012
    The comment has been removed

  • Anonymous
    September 27, 2012
    You are the best, pixelloa! And I second your statement about netsol

  • Anonymous
    October 08, 2012
    pixelloa, your suggestion worked. Nice one, thanks.

  • Anonymous
    June 24, 2013
    Hello pixelloa can you please tell me that how can i use certutil -repairstore? Thanks, Parikh

  • Anonymous
    April 09, 2014
    If anyone is still watching this thread... I came across this with a digicert cert as well. What I did was import it anyway into IIS. After adding it, but before it disappeared I right-clicked and selected view on the cert, went to the Details tab, and selected copy to file. Selected to export the private key, and assigned a password. Then I refreshed (cert was gone) and re-imported the now .pfx cert and entered the password. Worked like a charm.

  1. Import cert anyway
  2. Right-click > View
  3. Details tab > Copy to File
  4. Export PK, assign password, export as .pfx
  5. Import new .pfx
  • Anonymous
    June 09, 2014
    The comment has been removed

  • Anonymous
    August 05, 2014
    Thanks to pixelloa for the path forward to solving this rather obtuse problem.

  • Anonymous
    November 05, 2014
    Thanks a lot pixelloa! Worked like a charm.

  • Anonymous
    November 05, 2014
    Thanks a lot pixelloa! Worked for me

  • Anonymous
    March 09, 2015
    I have .P7B file and when I am completing the CSR request its getting disappear. Its available on MMC but when I export .PFX option is greyed out. Nothing is working for me. Please help

  • Anonymous
    March 16, 2015
    The comment has been removed

  • Anonymous
    March 19, 2015
    Nice try pixelloa and JBrunelle but in either case I still cannot come out of the process with a pfx (still greyed out upon export).

  • Anonymous
    April 20, 2015
    For anyone who runs into this issue for wildcard certs.  I originally updated our Exchange server to a renewed wildcard cert FIRST.  When I tried to add the same cert to IIS, it would disappear.  The fix was to EXPORT the cert via Exchange, with the private-key, and then Import the .pfx on IIS.  Make sure your friendly name matches the wildcard URL.  I did not need to "repairstore" or anything like that, as Exchange was using a valid cert.

  • Anonymous
    May 14, 2015
    I have tried to use certutil -repairstore in windows 8.1 and it keep ask me select a smart card device? I haven't setup any smart card. Why keep ask me?

  • Anonymous
    June 19, 2015
    OMG Pixelloa - your solution worked. Nothing else worked for me. No PFX convertions rekey, re-CSR nothing! This worked like a charm. Thank you so much

  • Anonymous
    July 24, 2015
    You should install .CER in the same machine that you used to create the certificate request, by using Complete Certificate Request. After that you can export it as .PFX and install it into any other machine

  • Anonymous
    September 01, 2015
    Wrote a blog post to cover all details about this issue, from requesting the certificate to installing it properly, blog.lextudio.com/.../the-whole-story-of-server-certificate-disappears-in-iis-77-588-510-0-after-installing-it-why

  • Anonymous
    September 14, 2015
    Hello, had the same problem.  You need to ensure you are installing on the same server as the one you created the "CSR" file from.  Otherwise, it wont have the private keys.   If you got your cert, just ask to re-key, it will ask for a new CSR file.