Troubleshooting Disappearing SSL Certificates in IIS7: Wildcard Installation and Binding Issues


2 views

When installing a GoDaddy wildcard SSL certificate (*.domain.com) on Windows Server 2008 R2 with IIS7, the certificate appears to install successfully but vanishes from the Server Certificates list after refresh. The certificate also doesn't appear as an available option when attempting to configure HTTPS bindings.

The standard installation procedure follows these steps:

1. Open IIS Manager
2. Select server node in left pane
3. Open "Server Certificates" feature
4. Click "Complete Certificate Request"
5. Browse to the .crt file
6. Assign a friendly name
7. Click "Finish"

The issue stems from certificate chain validation. The intermediate certificates aren't being properly installed alongside the domain certificate. Here's how to verify:

certmgr.msc

Check both the "Intermediate Certification Authorities" and "Personal" stores.

Here's the proper installation sequence:

# First install the intermediate certificates
certmgr.exe -add gd_iis_intermediates.crt -s -r localMachine CA

# Then install the domain certificate
certmgr.exe -add domain.crt -s -r localMachine MY

If you have access to the working IIS6 server, export the certificate as PFX:

openssl pkcs12 -export -out certificate.pfx -inkey private.key -in domain.crt -certfile gd_bundle.crt

Then import into IIS7 using:

certmgr.exe -importPFX -p password -f certificate.pfx -s -r localMachine MY

After installation, verify the certificate appears in all relevant stores:

certutil -store -v My
certutil -store -v CA

Once properly installed, bind it to your site using PowerShell:

New-WebBinding -Name "Default Web Site" -Protocol "https" -Port 443 -SslFlags 1
$cert = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object {$_.Subject -match "domain.com"}
New-Item -Path IIS:\SslBindings\0.0.0.0!443 -Value $cert
  • Installing only the domain certificate without intermediates
  • Using wrong certificate store locations
  • Permission issues with private keys
  • Mismatched certificate and private key pairs

Validate your installation with:

Test-NetConnection -ComputerName localhost -Port 443
openssl s_client -connect domain.com:443 -servername domain.com -showcerts

When working with wildcard SSL certificates from GoDaddy on Windows Server 2008 R2 with IIS7, many administrators encounter a peculiar issue: the certificate appears to install successfully but disappears upon refresh or navigation. Here's what's really happening and how to fix it.

The issue typically stems from either incomplete certificate chain installation or improper certificate format. Based on the GoDaddy documentation and Microsoft support forums, here are the key findings:

1. The intermediate certificates (gd_iis_intermediates) must be installed first
2. The certificate request must be completed on the same server where it was generated
3. PFX format is often more reliable than CRT for IIS7 installations

Here's the proper workflow to successfully install a GoDaddy wildcard SSL certificate in IIS7:

1. Install Intermediate Certificates First

Before installing your domain certificate, import the intermediate certificates:

certmgr.msc → Right-click 'Intermediate Certification Authorities' → 
All Tasks → Import → Select gd_iis_intermediates.crt

2. Proper Certificate Installation

Use this PowerShell script to ensure proper certificate installation:

# Import the SSL certificate
$cert = Import-Certificate -FilePath "C:\path\to\your_domain.crt" 
    -CertStoreLocation Cert:\LocalMachine\My

# Verify installation
Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -like "*domain.com*" }

3. Convert to PFX Format (Alternative Method)

If the certificate keeps disappearing, convert it to PFX format:

openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt

Then import using IIS Manager or this command:

Import-PfxCertificate -FilePath C:\certificate.pfx 
    -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString -String "yourpassword" -Force -AsPlainText)

After successful installation, verify the binding with this command:

netsh http show sslcert

Or check programmatically with C#:

using (var serverManager = new ServerManager())
{
    var site = serverManager.Sites["YourWebsite"];
    foreach (var binding in site.Bindings)
    {
        if (binding.Protocol == "https")
        {
            Console.WriteLine($"Certificate Hash: {binding.CertificateHash}");
        }
    }
}

If problems persist, check these areas:

  • Ensure the certificate has the private key (check in certmgr.msc)
  • Verify the certificate chain is complete (certmgr.msc → Intermediate Certification Authorities)
  • Check the certificate store location (should be Local Machine/Personal)

For migration scenarios between IIS6 and IIS7, consider using:

certutil -exportPFX -p "password" My "certificate.cer" "certificate.pfx"