Incorret Domain on Cert. Can't Delete


#1

I have a Let’s Encrypt Certificate located in "Trusted Root Certification Authorities/DST Root CA X3/MyDomainName.net. The MyDomainName.net should have been MyDomainName.com. Now I have a mismatched SSL. How can I delete or change that certificate to .com from .net? I am running IIS 8. I host this site.


#2

Hi @rfleming11

looks like you have one certificate with two domain names - the com and the net version.

But the certificate is valide, so there is no problem.

You can create one certificate with a lot of domain names. But only one domain name is shown as “CommonName”.

But this isn’t an “incorrect domain”. If your certificate would be invalide, you would see something red.


#3

Thank you for your reply. Actually the certificate says MyDomainName.net like in the image above. The domain name is flemingengineering.net and I want to change it to flemingengineeing.com. If you run a SSL test on flemingengineering.com https://www.ssllabs.com/ssltest/?leadsource=3787244, you will see that the certificate has a mismatch and is trying to use the .net. I need to prevent that mismatch. A borwser won’t allow the mismatch.


#4

The first domain doesn’t exist, the second exists. Then create a new certificate with the correct name and use that.


#5

I have been creating new certificates with Certify The Web and Lets-Encrypt-Win-Simple on my IIS 8 server. The certificates are binding in IIS but I don’t know how to create the Certificate in the DST Root CA like the image above. It appears, when running the SSL test, that the test is only seeing what is in the DST Root CA. I have not restarted the IIS server since installing the new Certs.


#6

You have a lot of certificates created in the last days.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=p:ZmxlbWluZ2VuZ2luZWVyaW5nLmNvbTpmYWxzZTp0cnVlOjpFQUU9&cert_search=include_expired:false;include_subdomains:true;domain:flemingengineering.com&lu=cert_search_cert

You must change the setting of your bindings. Open the bindings, then you can select a new certificate.

But the certificate must be saved in your Webhosting Certificate store (Machine Account).

This is automatic done if you update your binding.

If you update your binding IIS understands that.

So:

  • Check your certificate store / Webhosting, if the new certificates there
  • Then update your https bindings.

#7

I have created a lot of certificates trying to find a solution. I have selected the newly created certificate in the bindings and checked the SNI block. I do show the certificates in “personal Folder” when viewing the certmgr.msc. I am still receiving the image error when trying to log into the site flemingengineering.com. Is there a way I can just revoke the flemingengineering.net certificate and delete it?


#8

This is the wrong folder. Open an Admin-Console (cmd.exe), then start mmc.

Then open File - Add SnapIn, select “Certificates”. Then (and this is important) you are asked:

  • own user
  • service
  • machine / computer (don’t know how english windows writes that).

But you must select the third option.

Then you have the Webhosting - folder. And to import a certificate, you must mark it as exportable. And you must select the Webhosting folder explicit. It can’t work if you have the certificate in your personal folder.

That wouldn’t help.


#9

The issue has been resolved. I exported the Local Computer/Webhosting/Certificates (flemingengineering.com) to the Local Computer/Trusted Certificate Authorities/Certificates. That was not the issue and does not need to be done. The fix for me was a computer restart. My recommendation for somebody who is having the same issue is to install the certificates with whatever method you chose and restart your server.
I am very impressed with your help JuergenAuer! Thank you so much for keeping me on the right track and ensuring me that I was doing this correctly. Big Help!


#10

Happy to read that it has worked.

I add new Letsencrypt certificates (Windows 2012) without any restart of the webserver. Maybe you had an inconsistence which was fixed by restarting.

If a certificate is saved in different folders (personal / computer, there personal or webhosting), that’s not good.


#11

IIS certs need only go in “Web Hosting”.
But they should probably be installed by/through IIS (or well written PowerShell commands).
Other methods don’t always return the desired results.
And sometimes you do need to restart IIS.
[which a reboot would do]


#12

Thanks RG305. I will make that correction and move to webhost folder.