Troubleshooting IIS 7 Persistent Old SSL Certificate Issue Despite Binding Updates


1 views

After meticulously following all standard procedures - installing the new SSL certificate in IIS7, removing the old certificate, updating bindings, and verifying through multiple channels - you'd expect the new certificate to be serving properly. Yet mysteriously, browsers continue receiving the old certificate. Here's how to systematically eliminate this stubborn issue.

// First, verify the SSL binding configuration
netsh http show sslcert ipport=0.0.0.0:443

// Check certificate store for any duplicates
certutil -store MY | findstr /i "Issuer Serial"

Even experienced administrators often miss these subtle configuration points:

  • Multiple sites sharing the same IP:port binding
  • SNI (Server Name Indication) misconfiguration
  • Certificate store permission issues
  • Certificate chain validation problems

When basic checks don't reveal the issue, try these deeper inspections:

// Check for hidden certificate bindings:
netsh http show sslcert hostnameport=yourdomain.com:443

// Verify certificate private key permissions:
icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\*"

When all else fails, this comprehensive removal process often resolves the issue:

// Remove all SSL bindings
netsh http delete sslcert ipport=0.0.0.0:443

// Clear certificate cache
certutil -urlcache * delete

// Reboot server
shutdown /r /t 0

Implement these best practices for smoother certificate transitions:

  • Always use unique IP:port combinations for critical sites
  • Document all certificate thumbprints in your CMDB
  • Create a pre-deployment checklist for certificate changes
  • Consider using certificate management automation tools

After implementing solutions, verify with these tools:

// Online SSL checker
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com | openssl x509 -noout -dates

// Local certificate binding verification
Get-ChildItem IIS:\SslBindings | Select-Object IPAddress,Port,Thumbprint

After meticulously following all standard SSL certificate replacement procedures in IIS 7 - removing the old cert, installing the new one, updating bindings, and verifying through multiple channels - the server stubbornly continues to serve the old certificate. This ghost certificate scenario is more common than you might think, especially in Windows Server 2008 environments.

You've already done the basics right:

netsh http show sslcert
certutil -store MY

But the problem persists. Let's dive deeper into the Windows certificate ecosystem.

The real culprit often hides in these locations:

  • Local Machine's Personal store (Certlm.msc)
  • Current User's Personal store (Certmgr.msc)
  • Intermediate Certificate Authorities store
  • Third-party security software caches

Try this PowerShell script to completely eliminate certificate residues:

# Find all certificates with matching thumbprint or subject
$oldCert = Get-ChildItem -Path Cert:\LocalMachine\My | 
           Where-Object { $_.Thumbprint -eq "OLD_THUMBPRINT" }

# Remove from all stores
if ($oldCert) {
    Remove-Item -Path $oldCert.PSPath -Force
    Write-Host "Old certificate purged from LocalMachine\My"
}

# Repeat for CurrentUser store if needed
$oldUserCert = Get-ChildItem -Path Cert:\CurrentUser\My | 
               Where-Object { $_.Thumbprint -eq "OLD_THUMBPRINT" }
if ($oldUserCert) {
    Remove-Item -Path $oldUserCert.PSPath -Force
    Write-Host "Old certificate purged from CurrentUser\My"
}

Sometimes the binding itself gets corrupted. Try this sequence:

# Remove existing binding
netsh http delete sslcert ipport=0.0.0.0:443

# Add fresh binding with new cert
netsh http add sslcert ipport=0.0.0.0:443 certhash=NEW_THUMBPRINT appid={00000000-0000-0000-0000-000000000000}

Don't forget these caching layers:

  • Restart the "HTTP Service" (not just IIS)
  • Clear the Schannel cache: klist purge
  • Disable and re-enable the network adapter
  • Flush DNS: ipconfig /flushdns

To confirm your changes took effect:

# Check certificate actually served
openssl s_client -connect yourserver:443 -servername yourdomain.com | openssl x509 -noout -text

# Verify no old cert in chain
Test-NetConnection -ComputerName yourserver -Port 443 | 
    Format-List -Property RemoteCertificate

As a last resort:

  1. Export all bindings: appcmd list site /config /xml > backupsites.xml
  2. Complete IIS reset: iisreset /stop then iisreset /start
  3. Reboot into Safe Mode with Networking and reapply certificates