IIS7 keeps using old SSL cert
A user reported to me that his browser was reporting that one of the websites I maintain was sending out a revoked SSL certificate as it’s identity. I checked and found that, sure enough, the certificate authority (CA), which I also run, has put that cert on the CRL. It had been superseded when I’d issued a new cert for the server with different extensions.
However, when I checked the web server config, I couldn’t find the old, revoked cert listed anywhere. And it wasn’t listed in the host computer’s Certificates MSC either. Weird.
Restarting the web server didn’t help. Neither did rebooting the computer. Neither did getting yet another new certificate for the computer.
Finally, I woke up and “asked” google.
Well, that was easy. Edited the “Bindings” on the “Default Site” and selected the new certificate. The old one didn’t appear in the list, though. Apparently, if you simply delete the old cert from the computer, IIS7 doesn’t clear it from it’s own config, even though you can’t see the cert anywhere in that config.