This Blog is a supplement to my website. Please also visit: www.DavidCocke.com

Saturday, October 1, 2011

SSL not working on Windows Server 2003

We have a customer that physically moved their server from one location to another. This was a server that had not been rebooted in over 6 months.


After we moved it and brought it back up I began to realize the SSL on the web server was not working.  I first thought I had made a mistake in the firewall rules since it was a new firewall at a new site on a different ISP.  But later began to realize that it was the server itself.  


If you tried to connect to the page with http port 80 it worked, but if you go https port 443 you get absolutely nothing, no errors just does not display.  There were also no errors in the Windows Error Logs.  I did iisreset until I was blue in the face, but no change.  


Then I decided to replace the certificate with a self-signed certificate:
  • In IIS, right-click on website (Default Web Site in my case) and choose Properties
  • Go to the Directory Security tab and choose the Server Certificates button
  • Choose the option to Replace the current certificate
  • Then I choose my self-signed certificate
Then magically the website began to show the SSL page, albeit with a security warning because it is a self-signed certificate.  Then I replaced it again with the valid certificate issued by the Trusted Certificate Authority (GeoTrust in this case).  But then I was back to my original symptom of no page displayed at all.

Then I decided to delete the certificate altogether and re-import it (thankfully I had saved it in a folder when we first installed it), but that too didn't work.  Then it occurred to me, that if I deleted the public certificate, I may have also deleted or broke the private key chain.

After Googling I found this very helpful article:



I followed the instructions, but the magical command line that made it work was rather unclear in their article since they did not give an example.

So let me clarify it here.  If you delete a certificate and then re-import it, you will need to repair the private key store to re-link it.

When you look at the certificate's Serial Number you will see it has spaces in it.  You have to include the spaces in your command line. 

Example: 

certutil -repairstore my "02 85 03"

Over the years I have dealt with SSL, I've had lots of errors and mistakes, but this was the first time I've encountered a situation that there was no errors, no clues, it just didn't work.  Hoping this might help someone else.