SSL certificate sometimes stops working

Question

Sometimes, mostly at nighttime, our SSL certificates just stop working. The error accompanying this fault is:

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

To solve this at the moment, we just change the SSL binding of the faulting website to a different site, save it and switch it back. That way, the certificate is picked up again and works (magic).

The question is: How can we prevent this from happening? Every time this happens (now twice in the last 6 months), the sites are down.

Answer 1

An article I found resolved the issue: https://techcommunity.microsoft.com/t5/iis-support-blog/error-hresult-0x80070520-when-adding-ssl-binding-in-iis/ba-p/377281

FYI, we have checked all three options.

If this error should come up again, I will post it here.

Answer 2

I too have had this problem. My server service was working fine for hours if in use but if left for 45 minutes without a call, it would get this error. So there was some sort of timeout or other expiry occurring. I wrote a utility to monitor my service, and of course that kept it alive. So I adjusted times, and found the period that let it fail. I re-examined all the web references I'd used, and found that re-reading the article at paulstovell.com it mentioned the PersistKeySet property. Changing my code which prepares the certificate to include this, so it is now like:

  X509Certificate2 cert = new X509Certificate2(file, password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable); 

has fixed the problem, and the certificate no longer expires or times out with the 0x8009030d error. And of course this makes sense, as the error is about there being no key, and persisting it is what is required.

http://paulstovell.com/blog/x509certificate2