SSL certificate is not getting binded with iis https binding on update. RRS feed

  • Question

  • User-616915944 posted

    I have installed keyvault extention on vmss having windows server 2019 custom image.
    On updating the certificate in keyvault , extension pulls the updated certificate.
    But my binding with old certificate in iis , is not getting updated. Weired behavior is if any client tries to access the site using https://localhost , it is being served with the updated certificate.

    Wednesday, January 20, 2021 10:50 AM

All replies

  • User690216013 posted

    It is Windows HTTP API that controls which certificate belongs to a binding, https://docs.jexusmanager.com/tutorials/https-binding.html#background So you should dig further to see what can explain the observed behaviors.

    Wednesday, January 20, 2021 5:33 PM
  • User1771714573 posted

    Hi raunak.omar,

    Is the certificate you updated in keyvault added to the server? Does the certificate have a private key?

    Due to the timeframe and some other issues, there may be differences in the list of certificates displayed in IIS,which affects the certificates bound to the site in IIS.

    To solve this problem, you can manually import the certificate into IIS

    Export certificate from certificates.msc concole to a certificate.pfx file. Please make sure to export it with a private key and password protect it. Once this is done you can import the certificate in iis by using import option instead of complete certification request. This keeps the certificate in server certificates console and you can bind the website to the certificate.

    Best regards,


    Thursday, January 21, 2021 5:35 AM
  • User-616915944 posted

    Hello Brucz,

    Yes the certificate I updated in keyvault is getting added to server. Yes certificate has the private key.

    In iis binding the certificate is not getting updated but when client makes a request to server , it is getting the updated certificate.

    I was trying to create an automated pipeline so that if I update my certificate in keyvault , machines should get automatically and no need for redeployment of machines. So manual steps will not be possible in my case.

    Do you have any other suggestion or log location where I can look for more debugging.

    Thursday, January 21, 2021 7:18 AM
  • User-616915944 posted

    I tried checking with netsh command to know what certificate is binded with 443 but it is the old one . 

    Very confusing then how clients are able to pick updated certificate.

    Thursday, January 21, 2021 7:20 AM
  • User1771714573 posted

    Hi raunak.omar,

    I researched key vault and found that it is an extention on Azure, not about IIS.

    I tried checking with netsh command to know what certificate is binded with 443 but it is the old one

    This shows that the key vault is not fully working and there seems to be a problem with the function.

    I suggest you go to the Azure forum for help.

    Best regards,


    Friday, January 22, 2021 6:35 AM