The incorrect localhost certificate is being served by IIS

Question

OK I have a SSL issue that I can't seem to get past on this 1 Win7 x64 machine. I have been using self-signed certs for years and even blogged about them before so I have experience. However something is happening that I can't figure out this time.

I have (2) localhost SSL certs created and insalled on my machine.

1. localhost (friendly name) issued and created in IIS (7.5). It contains the 'Issued To' and 'Issued By' values of my machine name: 'DevMachine123'. This is the certificate being served up for applications configured under the 'Default Web Site' in IIS.
2. localhost SSL certificate created using makecert.exe tool where CN=localhost (common name) was used. It contains the 'Issued To' and 'Issued By' values of 'localhost'. This is the SSL cert I want served up in IIS for my applications configured under the 'Default Web Site'.

The error I'm getting is:

'The security certificate presented by this website was issued for a different website's address.'

When I view the certificate being served up from the IE browser: it shows the localhost cert issued to 'DevMachine123' is being used and not the localhost issued to localhost (#2 above) which should resolve this issue. Hence the name mismatch because 'DevMachine123' does not match 'localhost'.

Another point to make; my certificates have been added to 'Trusted Root Certification Authorities' so they both are trusted certificates.

Last point to make, I checked the https port 443 Binding configuration for the 'Default Web Site' on my machine in IIS. I view the certificate and it shows the correct localhost certificate is bound (#2 above with CN=localhost).

I feel that I have covered my bases here (yes I have seen this and this so please do not re-post). What am I missing here?

Thanks!

Answer 1

I had a similar issue and had also gone through the checks you mentioned above for the site bindings. I ran the following netsh command

netsh http show sslcert

This showed me two SSL Certificate bindings. One on IP:Port 0.0.0.0:443 with the correct certificate and one on IP:Port [::]:443 with an expired certificate. I opened CertMgr.msc for the Local Computer (see here for instructions) and searched for the invalid certificate and discovered it had expired.

To resolve the issue I did the following

1. netsh http delete sslcert ipport=[::]:443
2. iisreset /restart