Installing SSL on a Windows Server 2012 with IIS 8.0

Question

We are in the process of moving a website from a machine with Windows Server 2008 R2/IIS 7.5 to a machine with Windows Server 2012/IIS 8.0 as we want to take advantage of the new SNI feature.

This website has an SSL through Go-Daddy, so we went through their site to re-key the SSL for this new server and download the corresponding files and followed their instructions found here for IIS 7.0 since they don't have any available for IIS 8.0.

The problem that we are experiencing is that when we try to "Complete the Certificate Request" in IIS, it gives us an error message of "Failed to Remove Certificate"- we are not sure what certificate it is trying to remove.

In comparing them to Microsoft's instructions found here, we noticed during the import process when following Go-Daddy's instructions, it wants you to import the certificate into the "Intermediate Certification Authorities" directory which then places it in the Personal certificate store - but Microsoft's instructions say to import the certificate into the new Web Hosting certificate store. Not sure if this may be part of the issue...

- UPDATE

We thought maybe it was something to do with the certificate GoDaddy was issuing so we bought a brand new certificate for a different website from Thawte - however we are still getting the same error of "Failed to Remove Certificate".

score 25 · Accepted Answer · answered May 13 '13 at 09:03

I ran into the same issue with a GoDaddy SSL certificate on Windows 2012 / IIS 8. What worked in my case, after getting the "Failed to Remove Certificate" error, was this:

I have tried adding it again, this time getting an "Access Denied" error.
I have also tried adding it to the "Personal" store instead of "Web Hosting" but same "Access Denied" error appeared
so I went back to the Certificates snap-in using MMC and found the certificate was already there - under Certificates (Local Computer) / Personal
Instead of doing the export/import thing that Scott suggested, I simply tried dragging the certificate down to Certificates (Local Computer) / Web Hosting node - and, surprisingly, it worked
After doing the above, I went back to IIS Manager and was able to use the certificate in the site bindings right away

Thank you. I would have probably been scratching my head for hours if you didn't post this. — diadem, Jan 22 '14 at 23:51
I got this error when I tried to have IIS add it into "Web Hosting" - if I let it add it into "Personal" it was fine. After that I dragged it into the Web Hosting category and all was well. I have no idea why. — jocull, Jun 25 '14 at 13:26

scooter133 · Answer 2 · 2013-04-04T18:28:07.303

5

I ran into a Similar Issue. I had to download the certificate as a .P7B file, Install the Certificate into the local Cert Store, then Export the Certificate as a .PFX with a Password.

Right Click the Cert and Click Install, You can choose Automatic, or the 'The Following Store' I believe Automatic installs it into Local Computer/Personal. So in MMC, load in the Certificate Snap-in for Local Computer, and then look in the Personal Folder or where you chose to install it, you should see your Cert. Right Click, All Tasks, Export

Once I had the .PFX certificate I was able to import that certificate into IIS8 and use it in the SSL Bindings for the Site.

Scott<-

edited Apr 04 '13 at 18:28

answered Feb 16 '13 at 17:06

scooter133

171
1
1
7

Had the same problem and this seems to have worked for me as well. – Multiverse IT Feb 26 '13 at 19:14
what is the "local cert store"? – lrkwz Apr 04 '13 at 13:34
I added some details above. – scooter133 Apr 04 '13 at 18:28
I exported the PFX from IIS on another server. Was able to import it on the Win2012 IIS 8.5 box. – mobill May 10 '16 at 21:45

score 3 · Answer 3 · answered Mar 21 '14 at 18:01

3

I had the same issue. I fixed with openssl

openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.bundle -out my.pfx

Than i imported to IIS 8.5

answered Mar 21 '14 at 18:01

Novkovski Stevo Bato

341
1
4
17

Where in Windows server would I find the .key file? – sam452 Nov 15 '18 at 15:29

score 2 · Answer 4 · edited Jun 11 '20 at 10:02

Run IIS Manager as administrator! Always - when doing SSL changes!

Also when GoDaddy automatically updates a certificate they use the same key you originally had - so you don't need to rekey for the same machine. It is the lack of running as admin that gives these stupid messages. I always forget. Every two years.

To renew when Godaddy renews your cert without you providing a new CSR:

Run IIS manager as admin
Go to Server Certificates
Right click and select Renew
Choose the third option : Complete certificate renewal request
Select the .crt file

score 1 · Answer 5 · answered Apr 20 '16 at 01:45

1

I was trying to add my renewed license and had same issue. I found out that My previous SSL certificate was active and used by one of my domain. I removed the previous one and added the new one and the problem was solved.

answered Apr 20 '16 at 01:45

Amir

111
3

score 1 · Answer 6 · answered May 31 '16 at 23:25

1

I had the same set of errors and issues, looked around mmc snapin for certificates... cert seems to be there (without me doing anything to fix the errors)

Tried it in IIS.... seems to work.... Current conclusion: The errors are spurious.

answered May 31 '16 at 23:25

Jonesome Reinstate Monica

5,347
9
54
80

score 0 · Answer 7 · answered Oct 13 '20 at 04:01

Throwing this out there if it helps someone.

I manually deleted the certificate from MMC -> Certificates -> Personal -> Certificates, and then added the certificate manually in IIS through the Complete Certificate Request, but here's the deviation - I added it to Personal instead of "Web Hosting".

Installing SSL on a Windows Server 2012 with IIS 8.0

7 Answers7

Run IIS Manager as administrator! Always - when doing SSL changes!

Linked