SSL certificate sometimes stops working

7

Sometimes, mostly at nighttime, our SSL certificates just stop working. The error accompanying this fault is:

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

To solve this at the moment, we just change the SSL binding of the faulting website to a different site, save it and switch it back. That way, the certificate is picked up again and works (magic).

The question is: How can we prevent this from happening? Every time this happens (now twice in the last 6 months), the sites are down.

security
iis
ssl
certificate
asked on Stack Overflow Aug 20, 2015 by Gecko

3 Answers

6

An article I found resolved the issue: https://techcommunity.microsoft.com/t5/iis-support-blog/error-hresult-0x80070520-when-adding-ssl-binding-in-iis/ba-p/377281

FYI, we have checked all three options.

If this error should come up again, I will post it here.

answered on Stack Overflow Aug 24, 2015 by Gecko • edited Feb 7, 2020 by Gecko
2

I too have had this problem. My server service was working fine for hours if in use but if left for 45 minutes without a call, it would get this error. So there was some sort of timeout or other expiry occurring. I wrote a utility to monitor my service, and of course that kept it alive. So I adjusted times, and found the period that let it fail. I re-examined all the web references I'd used, and found that re-reading the article at paulstovell.com it mentioned the PersistKeySet property. Changing my code which prepares the certificate to include this, so it is now like:

  X509Certificate2 cert = new X509Certificate2(file, password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable);

has fixed the problem, and the certificate no longer expires or times out with the 0x8009030d error. And of course this makes sense, as the error is about there being no key, and persisting it is what is required.

http://paulstovell.com/blog/x509certificate2

answered on Stack Overflow Sep 7, 2017 by mj2008 • edited Mar 21, 2019 by (unknown user)
0

by editing the permission on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys I have resolve the same issue thanks

answered on Stack Overflow Jan 27, 2021 by Bhaskar Patel • edited Jan 27, 2021 by Martin Brisiak

User contributions licensed under CC BY-SA 3.0