SYSTEM:
Windows Server 2019
IIS 10
SCENARIO:
Your SSL certificate is renewed by Godaddy, etc.
You download the certificate file and unzip it.
You go to IIS and click "Complete Certificate Request" and specify the PEM file.
You then go to BINDINGS of the website where the certificate is used and select the new certificate.
You receive the error:
A specified logon session does not exist. It may already have been terminated.
The web site is now DEAD until you switch the binding back to the original certificate.
If you click on the certificate and go to Details - Copy to file - Next, the option to export the private key is greyed out.
You cannot export the certificate and private key to a PFX file.
Also, if you check the Event Viewer, you should see:
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.
POSSIBLE FIX:
Many articles mention permissions of various directories. We found no issues with permissions.
What fixed it for us is a solution here:
https://stackoverflow.com/questions/14953132/iis-7-error-a-specified-logon-…
"Nobody probably cares about this anymore, but I just faced this issue with my IIS 7 website binding. The way I fixed it was going to the Certificate Authority and finding the certificate issued to the server with the issue. I verified the user account that requested the certificate. I Then logged into the IIS server using RDP with that account. I was able to rebind the https protocol using that account only. No exports, reissuing, or extension changing hacks were needed."
I realized that I may have been logged in as a different user when I created the original CSR.
I logged into the server with that account and repeated the normal steps to complete the certificate request and then clicked on the certificate and chose Details - Copy to file - Next.
When I saw that the option for "Export private key" was NOT greyed out, I knew it would work, and it did. I was able to bind to the certificate without an issue.
I was also able to export the certificate and private key to a PFX file for use on another server.
CONCLUSION:
If the account that created the original CSR is available, login with that account to complete the request.
If you can't login as the account that created the CSR, then creating a new CSR and rekeying the certificate at Godaddy, etc. is probably what we would do.
This article is dedicated to the person who answered the question on Stack Overflow.
Comments