1

I am using Central Certificates in IIS 10 - using a local folder (C:\iis\Encryption) that is synchronized to all of the web servers in our cluster.

The Central IIS uses a domain service account - one which seemingly has full permissions to the folder (and files) in question:

enter image description here

Everything was working until we needed to renew the certificate - which I did by deleting the old .PFX files in the share and uploading new ones.

Now, when I use the service account in the configuration, I am getting an error that says "Bad Data".

enter image description here

When I instead use my personal Domain Account, it seems to work fine. Also, when I put back the old (soon to expire) certificate into the folder, that works fine with the service account.

Why isn't my service account working anymore

William
  • 363
  • 1
  • 11
  • 28
  • I'm not sure why this question was closed - it seems tkk on have plenty of detail/clarity to me. – William Dec 28 '20 at 14:07

3 Answers3

2

Not sure if you solved this, but I hade the exact same problem and finally managed to solve it. I had to make sure that the pfx was created and exported from IIS itself. If I created a PFX from any other place it didn't work. Why tho, I have no idea.

Go to: IIS-Server Certificates-Create Certificate Request. Copy the signing request to you CA and then import it into IIS. When that's done you can export the .pfx and put it in you CCS location. You can then remove the certificate in IIS-Server Certificates.

I have still no idea why this worked. But hope this helps you!

tattrall
  • 21
  • 2
1

For anyone that runs into this in the future, it appears that you will always see Bad data listed whenever you import a certificate into CCS and you enter share credentials that do not match the account you are currently logged into. Not sure if this is a security "feature" or what but I changed my service account around so I could login to it and then connected to the same box and had zero issues with the imported cert properly showing up in CCS. Switch back to my account and it shows "Bad data" again. I believe this would be the case if you used any credentials except for your own when importing. I haven't yet confirmed whether or not it causes any issues leaving it with my service account credentials though.

Chris Smith
  • 23
  • 4
1

Not sure if this applies here but we had an issue where we were using LetsEncrypt and we had to place their root certificates into the Trusted Root Certification Authorities before we could view the certificates inside IIS similar to the issues found here

https://github.com/ridercz/AutoACME/issues/14

Nick van Esch
  • 121
  • 2