Installing SSL on a Windows Server 2012 with IIS 8.0
We are in the process of moving a website from a machine with Windows Server 2008 R2/IIS 7.5 to a machine with Windows Server 2012/IIS 8.0 as we want to take advantage of the new SNI feature.
This website has an SSL through Go-Daddy, so we went through their site to re-key the SSL for this new server and download the corresponding files and followed their instructions found here for IIS 7.0 since they don't have any available for IIS 8.0.
The problem that we are experiencing is that when we try to "Complete the Certificate Request" in IIS, it gives us an error message of "Failed to Remove Certificate"
- we are not sure what certificate it is trying to remove.
In comparing them to Microsoft's instructions found here, we noticed during the import process when following Go-Daddy's instructions, it wants you to import the certificate into the "Intermediate Certification Authorities" directory which then places it in the Personal certificate store - but Microsoft's instructions say to import the certificate into the new Web Hosting certificate store. Not sure if this may be part of the issue...
- UPDATE
We thought maybe it was something to do with the certificate GoDaddy was issuing so we bought a brand new certificate for a different website from Thawte - however we are still getting the same error of "Failed to Remove Certificate".
Solution 1:
I ran into the same issue with a GoDaddy SSL certificate on Windows 2012 / IIS 8. What worked in my case, after getting the "Failed to Remove Certificate" error, was this:
- I have tried adding it again, this time getting an "Access Denied" error.
- I have also tried adding it to the "Personal" store instead of "Web Hosting" but same "Access Denied" error appeared
- so I went back to the Certificates snap-in using MMC and found the certificate was already there - under Certificates (Local Computer) / Personal
- Instead of doing the export/import thing that Scott suggested, I simply tried dragging the certificate down to Certificates (Local Computer) / Web Hosting node - and, surprisingly, it worked
- After doing the above, I went back to IIS Manager and was able to use the certificate in the site bindings right away
Solution 2:
I ran into a Similar Issue. I had to download the certificate as a .P7B file, Install the Certificate into the local Cert Store, then Export the Certificate as a .PFX with a Password.
Right Click the Cert and Click Install, You can choose Automatic, or the 'The Following Store' I believe Automatic installs it into Local Computer/Personal. So in MMC, load in the Certificate Snap-in for Local Computer, and then look in the Personal Folder or where you chose to install it, you should see your Cert. Right Click, All Tasks, Export
Once I had the .PFX certificate I was able to import that certificate into IIS8 and use it in the SSL Bindings for the Site.
Scott<-
Solution 3:
I had the same issue. I fixed with openssl
openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.bundle -out my.pfx
Than i imported to IIS 8.5
Solution 4:
Run IIS Manager as administrator! Always - when doing SSL changes!
Also when GoDaddy automatically updates a certificate they use the same key you originally had - so you don't need to rekey for the same machine. It is the lack of running as admin that gives these stupid messages. I always forget. Every two years.
To renew when Godaddy renews your cert without you providing a new CSR:
- Run IIS manager as admin
- Go to
Server Certificates
- Right click and select
Renew
- Choose the third option :
Complete certificate renewal request
- Select the
.crt
file