Reputation: 1344
SSL certificate sometimes stops working
Sometimes, mostly at nighttime, our SSL certificates just stop working. The error accompanying this fault is:
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.
To solve this at the moment, we just change the SSL binding of the faulting website to a different site, save it and switch it back. That way, the certificate is picked up again and works (magic).
The question is: How can we prevent this from happening? Every time this happens (now twice in the last 6 months), the sites are down.
Upvotes: 9
Views: 50805
Answers (4)
Reputation: 669
The problem was due to a missing permission given on the private keys of the certificate itself in the certificates store:
in certmgr > right click on the certificate > All tasks > Manage Private Keys
Allow the user consuming the certificate (like a service user or whatever).
Upvotes: 1
Reputation: 5
by editing the permission on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys I have resolve the same issue thanks
Upvotes: -2
Reputation: 1344
An article I found resolved the issue: https://techcommunity.microsoft.com/t5/iis-support-blog/error-hresult-0x80070520-when-adding-ssl-binding-in-iis/ba-p/377281
FYI, we have checked all three options.
If this error should come up again, I will post it here.
Upvotes: 6
Reputation: 6747
I too have had this problem. My server service was working fine for hours if in use but if left for 45 minutes without a call, it would get this error. So there was some sort of timeout or other expiry occurring. I wrote a utility to monitor my service, and of course that kept it alive. So I adjusted times, and found the period that let it fail. I re-examined all the web references I'd used, and found that re-reading the article at paulstovell.com it mentioned the PersistKeySet property. Changing my code which prepares the certificate to include this, so it is now like:
X509Certificate2 cert = new X509Certificate2(file, password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable);
has fixed the problem, and the certificate no longer expires or times out with the 0x8009030d error. And of course this makes sense, as the error is about there being no key, and persisting it is what is required.
http://paulstovell.com/blog/x509certificate2
Upvotes: 3
Related Questions
- Trusted certificate problem after restart of Windows
- IIS SSL Is Not Functioning Properly
- SSL Certificate Disappearing from IIS
- IIS loses HTTPS Endpoitn certificate after computer restart
- SSL Certificate will not save
- Getting certificate error for SSL certificate with validity left
- IIS https binding disappears sometime
- ssl not working correctly
- C# and IIS - SSL dropping connections, fine over HTTP
- Secure Certificate Problem