cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ryan_C
Engaged Sweeper
I'm familiar with how to set up SSL in IIS Express. However, every time we do, it breaks the system.

The moment I input the cert's thumbprint and restart the service, the whole site now becomes unreachable. As soon as I put the old thumbprint back in and restart the service, it all works again.

Any ideas? We've had three of us try this each dozens of times, so it's HIGHLY unlikely we're all making the same mistake. But for some reason it worked once (and only once) with a now-expired certificate.

The browser says that there is no certificate when we change to the new thumbprint.

I'm attaching a sanitized copy of our IISExpressSvc.exe.config file, and screenshots of the messages in the browser when we have the new thumbprint in place.
1 ACCEPTED SOLUTION
fjca
Champion Sweeper II
Be sure that the certificate is a Machine certficate, aka it's in the Local Computer Store, on the Personal Folder. I've had a problem like that in the past when I imported it on my user store, and them IIS could not see it...

View solution in original post

6 REPLIES 6
edsn
Engaged Sweeper
Make sure you import a pfx that contains the private key to the certificate you are using.

I had the same issue when I tried to use a certificate that was imported from .crt.

If you only have .crt and .key files you can use the following command (and openssl) to create a pfx:
openssl pkcs12 -export -out bundle.pfx -inkey privkey.key -in cert.crt -certfile cert.ca.crt
Ryan_C
Engaged Sweeper
edsn wrote:
Make sure you import a pfx that contains the private key to the certificate you are using.

I had the same issue when I tried to use a certificate that was imported from .crt.

If you only have .crt and .key files you can use the following command (and openssl) to create a pfx:
openssl pkcs12 -export -out bundle.pfx -inkey privkey.key -in cert.crt -certfile cert.ca.crt


I'm pretty sure the PFX has the key, but I did not generate it myself (another team handles that). I'll verify.
fjca
Champion Sweeper II
Be sure that the certificate is a Machine certficate, aka it's in the Local Computer Store, on the Personal Folder. I've had a problem like that in the past when I imported it on my user store, and them IIS could not see it...

Ryan_C
Engaged Sweeper
fjca wrote:
Be sure that the certificate is a Machine certficate, aka it's in the Local Computer Store, on the Personal Folder. I've had a problem like that in the past when I imported it on my user store, and them IIS could not see it...



Thanks, fjca. It seems this was the primary issue. We had it in the incorrect store.
Ryan_C
Engaged Sweeper
fjca wrote:
Be sure that the certificate is a Machine certficate, aka it's in the Local Computer Store, on the Personal Folder. I've had a problem like that in the past when I imported it on my user store, and them IIS could not see it...



Thank you. I will check that out. I think it's there, but I cannot be positive from memory alone.
Ryan_C
Engaged Sweeper
Any ideas?