This particular setup utilizes a number of port addresses (not our preferred setup but it is how the client wanted it) to support additional applications with their SSL certificate.  This in essence allowed the SSL certificate for remote.domain.com to serve multiple sites in IIS 7 by using ports such as remote.domain.com:5444, remote.domain.com:6545, etc.

After renewing the certificate these sites were showing as having an expired certificate in the browser – not an ideal scenario (we tried clearing cache/history with no luck).  We checked in IIS 7 and saw that both the new certificate and the expired certificate were showing (IIS 7 –> Server Name –> Server Certificates).  After making an additional backup of the expired certificate we used the Remove action to delete the expired certificate and restarted the server.  Unfortunately the issue of the expired certificate continued to haunt the browsers.

So it was time to do some research.  The blog post at http://edbartram.posterous.com/renewing-ssl-certificate-on-iis-7-woes was similar to our problem but the solution reported, complete removal of the certificate, was likely overkill (as the author, http://twitter.com/edbartram, admits) and since our problem was slightly different might not really be the solution we needed.  What the author did mention was the idea rebounding the certificate to port 443.  Ah, we knew that 443 was properly bound (from our test of remote.domain.com) but we wondered whether in the process of renewal of the certificate did the bindings get messed up.  In IIS we selected the appropriate site and click on Bindings.

We selected the appropriate site binding (in this case an HTTPS binding with a particular port number) and clicked edit.

Sure enough, the Site Binding showed “Not Selected” for the SSL Certificate.

A quick selection of the appropriate certificate (and a view of the certificate to ensure we were binding the new certificate) and we were good to go.  Checked out the browsers and everything was working properly – no IIS restart required.  Went through doing the same on each site and everything is working correctly.

Our guess is that since we used the SBS Console to process the renewal it did not process the renewal in exactly the same manner as if you perform the renewal in IIS.  Thus while the SBS Console got the binding for 443 correct it did so in a way that killed the other bindings.  We still don’t know why IIS was serving the old certificate if it was not bound to the site and we had removed the certificate in IIS.  Those will have to remain mysteries until someone decides to enlighten us or we run across this issue again.