When replacing SSL certificates in IIS7, many admins encounter a frustrating situation where the server continues to serve the old certificate despite completing all apparent correct steps. This typically manifests with browser warnings about expired certificates, even after:
- Deleting the old certificate from Server Certificates
- Creating a new CSR and completing the certificate request
- Binding the new certificate to the website
The most common root causes include:
// PowerShell to check certificate bindings
Get-ChildItem IIS:\SslBindings | Format-Table -AutoSize
// Check if old cert exists in certificate store
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*yourdomain.com*"}
Certificate Store Issues: The old certificate might still exist in the Windows Certificate Store even after removal from IIS Manager.
Here's the complete troubleshooting process:
# PowerShell script to completely remove old certificate
$oldCertThumbprint = "OLD_CERT_THUMBPRINT"
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store "My", "LocalMachine"
$store.Open("ReadWrite")
$certs = $store.Certificates | Where-Object {$_.Thumbprint -eq $oldCertThumbprint}
foreach($cert in $certs) {
$store.Remove($cert)
}
$store.Close()
After cleaning up old certificates, rebind using PowerShell for precision:
# Remove old binding first
Remove-WebBinding -Name "Default Web Site" -Protocol "https" -Port 443
# Add new binding with correct cert
New-WebBinding -Name "Default Web Site" -Protocol "https" -Port 443 -SslFlags 1
$newCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*yourdomain.com*"} | Select-Object -First 1
$binding = Get-WebBinding -Name "Default Web Site" -Protocol "https"
$binding.AddSslCertificate($newCert.GetCertHashString(), "My")
After making changes, clear these caches:
- Restart the IIS service:
iisreset /noforce - Clear the Windows certificate cache:
certutil -urlcache * delete - Restart the HTTP service:
net stop http /ythennet start http
Check your work with these tools:
# Verify certificate in use
openssl s_client -connect yourdomain.com:443 | openssl x509 -noout -subject -issuer -dates
# Alternative using PowerShell
Test-NetConnection -ComputerName yourdomain.com -Port 443 | fl *
After replacing an expired SSL certificate in IIS7, browsers continue to present security warnings because they're receiving the old certificate. This occurs despite:
- Properly removing the expired certificate from Server Certificates
- Creating a new certificate request
- Successfully completing the certificate installation
- Restarting the server
Several factors could cause this behavior:
1. Certificate binding issues in IIS
2. Caching mechanisms (server or client-side)
3. SNI (Server Name Indication) configuration problems
4. Intermediate certificate chain issues1. Verify Certificate Bindings
First, check the exact binding configuration:
// PowerShell command to list all SSL bindings
Get-ChildItem IIS:\SslBindings | Format-Table -AutoSizeIf you see the old certificate still bound, remove it with:
// Remove specific binding
Remove-Item IIS:\SslBindings\0.0.0.0!443 -Confirm:$false2. Clear Certificate Cache
Windows maintains a certificate cache that might need flushing:
net stop cryptsvc
net start cryptsvc3. Check Intermediate Certificates
Use OpenSSL to verify the chain:
openssl s_client -connect yourdomain.com:443 -showcerts4. Advanced IIS Configuration
For sites using SNI, verify the hostname binding:
// AppCmd syntax to check bindings
%windir%\system32\inetsrv\appcmd list site /text:bindingsEssential tools for diagnosis:
- SSL Labs Test (https://www.ssllabs.com/ssltest/)
- Microsoft's CertMgr tool
- Wireshark for packet inspection
- Verify certificate is installed in Local Machine store
- Confirm IIS worker process has proper permissions
- Check for multiple certificates with same subject name
- Test from different client networks