How can I install root or intermediate SSL certificates without restarting server?
Solution 1
I think you are seeing Firefox work because firefox most likely already had copies of the root and intermediate installed in its own stores, (which I have mixed feelings about). It seems like browsers are frequently importing intermediate certificates as well as roots into their own keystores now. That's one reason why I use cURL and the CA-provided certificate validation tool to verify the installation whenever I replace a cert.
I've had the problems with IIS you are describing if I installed the cert prior to installing the Intermediate cert but never had issues if the intermediate certs were imported prior to importing the server cert. Unfortunately, depending upon the CA, one does not always realize that the intermediate cert has been replaced until server cert verification is being performed.
Solution 2
I spent one day trying to configure the right certificate chain on a windows 2008 R2 server and I realized after several hours that in my case the only IIS restart didn't work.
The right solution was to import the right certificates using MMC snap in the Root certificate authority and in the Intermediate certification authority, restart the web server and the certificate chain started to work.
This on IIS 7.5 Windows 2008 R2.
Solution 3
Root certificate installation on Windows should never require a restart. Something else is going on here.
Worst-case, a logoff/logon should have worked - the apps you're describing all look like they're client/user-space apps, and terminating the process and restarting it is likely enough.
Related videos on Youtube
Abel
Creator of the .NET XSLT 3.0 processor Exselt, which is currently in beta. You can reach me via Twitter (sometimes), by mail at [email protected] (be careful not to look like spam), or through my companies Exselt or Abrasoft (consultancy). I'm an invited expert of the W3C XSLT and XQuery Working Group where we develop the next version of XSLT: version 3.0. Since September 2015 the group went public, which means that most of the mail discussions can now be actively participated in. If you find a bug or other issue with the XSLT 3.0 specification, you can send a mail to [email protected], or you can visit the archives (since Sept 2015).
Updated on September 18, 2022Comments
-
Abel over 1 year
For installation of a certificate I needed to install the root and intermediate certificates as well. This was recognized (after IIS reset) by Firefox and IIS at once, but not by IE, Opera or Network4All. After a physical restart it was recognized by all.
My question is: how can I install the root and intermediate certificates without restarting the entire server? (and, of less importance, come that Firefox recognized this at once, but others didn't)?
-
Abel over 12 yearsWell, I would agree with you, if not for the simple fact that it only started working after I issued a full restart. The IIS service itself was restarted before that, but that didn't help.
-
Abel over 12 yearsPerhaps you're right and it would've worked had I installed the root and intermediate certificates first. Not a 100% answer to the question but closest to an explanation for Firefox's behavior and why a restart might've been necessary.
-
Ov's Pianist over 12 years*always/typically/insert special case here