When HTTPS works on localhost but fails on your production domain (example.net in this case), we're typically dealing with one of these scenarios:

// Quick test to verify SSL handshake
openssl s_client -connect example.net:443 -servername example.net

First, let's verify the certificate is properly bound to the correct IP and port:

netsh http show sslcert ipport=0.0.0.0:443

// Expected output should show:
// Certificate Hash    : [your_cert_thumbprint]
// Application ID      : {4dc3e181-e14b-4a21-b022-59fc669b0914}
// Certificate Store Name : MY
// Verify Client Certificate Revocation : Enabled
// Usage Check    : Enabled
// Revocation Freshness Time : 0
// URL Retrieval Timeout   : 0
// Ctl Identifier    : (null)
// Ctl Store Name    : (null)
// DS Mapper Usage    : Disabled
// Negotiate Client Certificate : Disabled

Several configuration elements often get missed:

• SNI (Server Name Indication) requirements
• Certificate chain completeness
• Binding precedence rules
• Intermediate CA certificates

// PowerShell command to verify certificate chain
Get-ChildItem -Path Cert:\LocalMachine\My | 
Where-Object { $_.Thumbprint -eq "YOUR_THUMBPRINT" } | 
Select-Object -Property Thumbprint, Subject, NotBefore, NotAfter, 
@{Name="ChainStatus";Expression={ $_.Verify() }}

Don't overlook basic network checks:

// Verify DNS resolution
nslookup example.net
// Check TCP connectivity
Test-NetConnection example.net -Port 443

When basic checks don't reveal the issue:

1. Capture network traffic with Wireshark
2. Enable IIS Failed Request Tracing
3. Check Windows Event Viewer for SCHANNEL errors

// Windows Event Log query for SSL errors
Get-WinEvent -LogName "System" | 
Where-Object { $_.ProviderName -match "Schannel" } | 
Select-Object TimeCreated, Message | 
Format-List

Before considering certificate reinstallation:

When attempting to access https://example.net, the site fails to load completely. However, https://localhost works on the server itself (though with certificate mismatch warning). The certificate appears properly installed in the Local Computer > Personal > Certificates store with private key available. Port 443 is confirmed open in firewall settings.

First, verify the certificate chain using OpenSSL:

openssl s_client -connect example.net:443 -servername example.net -showcerts

Expected output should show the complete certificate chain without "verify error" messages. If intermediate certificates are missing, you'll need to install them in the "Intermediate Certification Authorities" store.

Even with correct bindings, these issues often prevent HTTPS from working:

• The certificate's Subject Alternative Name (SAN) must include example.net
• Application Pool identity needs read access to the certificate's private key
• SNI (Server Name Indication) must be enabled for multi-domain hosting

Run this script to check certificate binding in IIS:

Import-Module WebAdministration
Get-ChildItem IIS:\SslBindings | Where-Object { $_.Port -eq 443 } | Format-List *
(Get-ItemProperty -Path "IIS:\SslBindings\0.0.0.0!443").Thumbprint

Cross-validate this thumbprint with what you see in the certificate store.

For external access failures but working localhost access:

1. Test with telnet example.net 443 to verify TCP connectivity
2. Check if the server's external IP matches the DNS record for example.net
3. Verify no SSL offloading is configured on load balancers

If the issue persists, examine HTTP.sys configuration:

reg query HKLM\System\CurrentControlSet\Services\HTTP\Parameters /v SslBindingInfo

Incorrect entries here can prevent proper SSL binding despite IIS showing correct configuration.

After fixing any identified issues:

netsh http show sslcert ipport=0.0.0.0:443
netstat -ano | findstr 443

This confirms the binding is active at both application and network levels.