Microsoft KB Archive/185496

= Changing IP/Port on SSL Web May Require Key Manager Change =

Article ID: 185496

Article Last Modified on 6/23/2005

-

APPLIES TO


 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q185496



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
When a server certificate is applied to an Internet Information Server version 4.0 (IIS) Web server, the server certificate must be bound to the IP address and port number. If there are multiple certificates loaded but not bound, the server may not use the certificate correctly.



MORE INFORMATION
Secure Socket Layer (SSL) connections may fail if the settings in Key Manager are incorrect. By default, Key Manager sets up IIS to use the certificate on all unassigned IP addresses and all unassigned ports. Unassigned means IP addresses or Port combinations are not currently bound to a certificate.

If you bind a certificate to a specific IP address or Port and then change the IP or Port combination of the Web server, you must also change the setting in Key Manager.

Example: If you have a Web server, www.myserver.com, on IP address 10.56.65.200 and port 443 (for SSL traffic), the server certificate must also be bound to 10.56.65.200:443.

However, if you change the server address to 10.56.65.201:443, you must also change the setting to 10.56.65.201:443 in Key Manager. If you do not, IIS does not service requests for the new IP address and Port because it is still bound to 10.56.65.200:443.

Keywords: kbhowto KB185496

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.