When migrating websites from Windows Server 2008 R2/IIS 7.5 to Windows Server 2012/IIS 8.0, many administrators encounter the frustrating "Failed to Remove Certificate" error during SSL installation. This occurs whether using GoDaddy or Thawte certificates, suggesting a systemic issue with IIS 8.0's certificate handling.
The root cause stems from IIS 8.0's new certificate store architecture. While older guides (like GoDaddy's IIS 7 instructions) direct you to use the Intermediate Certification Authorities store, IIS 8.0 introduces the Web Hosting store specifically for SNI-enabled certificates.
Here's the proper procedure that actually works:
# PowerShell alternative for certificate import
Import-PfxCertificate -FilePath "C:\path\to\certificate.pfx" -CertStoreLocation Cert:\LocalMachine\WebHosting -Password (ConvertTo-SecureString -String "yourpassword" -AsPlainText -Force)
- Open MMC (mmc.exe) and add the Certificates snap-in for Computer account
- Navigate to Web Hosting store (not Personal)
- Right-click → All Tasks → Import
- Select your .pfx file and complete the wizard
After successful import, check binding in IIS Manager:
# Command to verify installed certificates
Get-ChildItem -Path Cert:\LocalMachine\WebHosting | Format-Table FriendlyName, Thumbprint
For SNI-enabled sites, ensure hostname matches in binding:
<binding protocol="https" bindingInformation="*:443:yourdomain.com" />
- Reset IIS:
iisreset /noforce - Check certificate permissions:
icacls "C:\path\to\certificate.pfx" /grant "NETWORK SERVICE":RX - Verify private key exists:
certutil -store WebHosting
When migrating SSL certificates to IIS 8.0 with Server Name Indication (SNI) support, the certificate store selection becomes critical. Unlike older IIS versions where certificates were typically installed in the Personal store, IIS 8.0 introduces the dedicated Web Hosting store for improved SNI management.
Here's the proper procedure I've verified through multiple deployments:
# PowerShell command to import certificate to correct store
Import-PfxCertificate -FilePath "C:\path\to\your_cert.pfx"
-CertStoreLocation "Cert:\LocalMachine\WebHosting"
-Password (ConvertTo-SecureString -String "your_password" -AsPlainText -Force)
The "Failed to Remove Certificate" error typically occurs when:
- The certificate exists in multiple stores (check with
certlm.msc) - Insufficient permissions on the certificate private key
- Certificate chain validation issues
After successful installation, verify the binding with this PowerShell snippet:
Get-ChildItem -Path cert:\LocalMachine\WebHosting |
Where-Object { $_.Subject -like "*yourdomain.com*" } |
Format-List *
For large-scale deployments, consider this automation script:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import("C:\certs\your_cert.pfx", "password", "PersistKeySet")
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store
"WebHosting", "LocalMachine"
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()
When issues persist:
- Clear existing certificates:
netsh http delete sslcert ipport=0.0.0.0:443 - Reset IIS:
iisreset /noforce - Check system logs:
Get-WinEvent -LogName System | Where Message -like "*SSL*"