Web server certificate perils

The replacement of web server certs is easy in theory. You should be able to use the old cert request with the CA to simply get a renewal of the existing cert.

Should be able to. I found out to my peril this week that it doesn’t necessarily work that way.

Using a corporate Certificate Authority, the new certs were ready to go, so on Wednesday night I arranged to get Admin access to the Win2K servers to put them in. Alas I was running late and missed the window in which I’d been given access! A consequence of the facilities guys being a little too efficient, I suppose.

No matter: attempt two was made the following night. Following these steps to import the cert all worked fine. Then use the IIS config applet to replace the old cert. Done.

Except it didn’t work. Browsing to the server on HTTPS failed with the usual kind of useless browser error: it claimed a DNS error/server not found, which made no sense. Nothing in the IIS log that told me anything.

Talked to the CA guy the next day. Very puzzled. Any amount of inspecting the old and new certs showed nothing.

On a whim, I decided to start from scratch: re-generate the cert requests and get the certs re-done.

Somehow, it worked. Still don’t know why, but it did. Memo for next time: just do the extra requests; don’t try and take a shortcut by re-using the old ones.

Amusing aside: While talking to the contact in Facilities Management, my other phone beeped. It was the coin sound from Galaga. “Hey… isn’t that from Galaga?” Yep, well spotted!