Hi All,
I've recently purchased a new wildcard SSL certificate to be installed on a pair of load-balanced web servers. Although the certificate is working fine of the first server, I am constantly getting the error:
A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
Reading around, this would suggest that the key was not marked as exportable during the import. So I set about re-importing the certificate, but to no avail. I tried to remove the certificate, and re-importing it, but again had the same problem (as I understand it now, deleting a certificate does not remove the private key). I managed to export the certificate with private key and delete the private key from the second server (which would indicate that the key was indeed exportable) then re-imported that... again the same problem.
In a last-ditched attempt, I remove the entries in the registry for HKLM\SOFTWARE\Microsoft\SystemCertificates\My\Keys, rebooted the server and re-imported the certificate, and again, no change. What was interesting is running "certutil.exe export.pfx" still showed the "Private key is NOT exportable" despite the private key (in theory) no longer being around. I'm not sure if that is related to the IIS error, as this occured before I re-imported the key.
I have attempted to import the key via IIS Manager, The Certificate MMC Snap-in (Local Machine) and via the commandline (certutil -importpfx) and none-of the options work.
I'm not sure if there is a hidden flag somewhere that is marking the private-key as non-exportable and thus causing IIS a headache and that setting is obscured. I would like to know if there's a way of completely removing references to a certificate and private key combination, including removing any references that mark a certificate as not-exportable (not to change it, just remove the reference) to see if that resolves the problem.
Alternatively, if someone knows what to resolve the main problem, that'd be prefered. Just to re-iterate, this applies to importing the certificate on the second server WITH "enable exports" options selected.
Thanks
Dan
I've recently purchased a new wildcard SSL certificate to be installed on a pair of load-balanced web servers. Although the certificate is working fine of the first server, I am constantly getting the error:
A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
Reading around, this would suggest that the key was not marked as exportable during the import. So I set about re-importing the certificate, but to no avail. I tried to remove the certificate, and re-importing it, but again had the same problem (as I understand it now, deleting a certificate does not remove the private key). I managed to export the certificate with private key and delete the private key from the second server (which would indicate that the key was indeed exportable) then re-imported that... again the same problem.
In a last-ditched attempt, I remove the entries in the registry for HKLM\SOFTWARE\Microsoft\SystemCertificates\My\Keys, rebooted the server and re-imported the certificate, and again, no change. What was interesting is running "certutil.exe export.pfx" still showed the "Private key is NOT exportable" despite the private key (in theory) no longer being around. I'm not sure if that is related to the IIS error, as this occured before I re-imported the key.
I have attempted to import the key via IIS Manager, The Certificate MMC Snap-in (Local Machine) and via the commandline (certutil -importpfx) and none-of the options work.
I'm not sure if there is a hidden flag somewhere that is marking the private-key as non-exportable and thus causing IIS a headache and that setting is obscured. I would like to know if there's a way of completely removing references to a certificate and private key combination, including removing any references that mark a certificate as not-exportable (not to change it, just remove the reference) to see if that resolves the problem.
Alternatively, if someone knows what to resolve the main problem, that'd be prefered. Just to re-iterate, this applies to importing the certificate on the second server WITH "enable exports" options selected.
Thanks
Dan