Problem with this website's security certificate.

Hi Lucas Peñaloza,

I'm glad to see you successfully received and imported the new certificate! That is a big step forward. The red "X" you are seeing now in the Certification Path tab is actually a very common next hurdle.

You are completely correct that your new server certificates are not expired (valid until 2026/2028). However, Windows checks the entire "chain of trust" from top to bottom. Even if your new certificate is perfectly valid, the system won't trust it because the "parent" certificate that issued it—in this case, the intermediate authority named IssuingCAGrupoTelecom—has expired on your local machine. If any link in the chain is broken, the whole chain fails validation.

To fix this, you do not need to change your new server certificates. Instead, you need to reach out to the team that provided them to you (likely your internal IT/PKI team or the Grupo Telecom vendor) and ask them for the updated Intermediate CA certificate for IssuingCAGrupoTelecom.

Once you receive that updated intermediate certificate file, open your MMC console again. But this time, instead of putting it in the Personal folder, you must import it into the Local Computer > Intermediate Certification Authorities > Certificates store.

Once that updated parent certificate is safely in the Intermediate store, that red X should immediately disappear, and your IIS site will finally be fully trusted by browsers.

Let me know if you are able to get your hands on that intermediate certificate!

Tracy.

Hi Lucas Peñaloza,

I'm just checking in to see if you were able to get your new certificate imported and successfully bound to your IIS site.

Did the steps I shared help clear up those browser warnings? Please let me know if you're still running into any trouble or have any other questions. I'm always happy to help.

Tracy.

The warning indicates a problem with the HTTPS server certificate in IIS, not with the IIS site itself. When replacing it, both placement and certificate properties matter.

1. Where to place the new certificate

For an IIS HTTPS binding the server certificate must:

• Be in the Local Computer certificate store, not the Current User store.
• Be in the Personal → Certificates store of Local Computer.
• Contain the private key.

If the certificate is imported without a private key, IIS cannot use it. Scenario 1 in the reference shows how to verify this and how to repair the mapping if needed:

• Open the certificate from the MMC snap‑in and confirm that it says “You have a private key that corresponds to this certificate.”
• If the private key is missing, import a .PFX that includes the private key, or use certutil -repairstore as shown.

2. Binding the new certificate in IIS

After importing the new certificate into Local Computer → Personal → Certificates:

1. Open IIS Manager.
2. Select the site (for example, WonderWebToken).
3. Choose Bindings… → https → Edit….
4. In SSL certificate, select the new certificate from the drop‑down list and save.

If HTTPS still fails, follow the additional checks from the SSL troubleshooting article:

• Confirm the certificate chain is trusted. If you see CERT_E_UNTRUSTEDROOT (0x800b0109) when validating the chain, import the issuing CA’s root certificate into Trusted Root Certification Authorities on the server.
• Ensure the certificate’s Enhanced Key Usage includes Server Authentication and that “Enable all purposes for this certificate” is selected.
• Verify that HTTP.sys has a correct SSL binding for the IP:port using netsh http show ssl. If the certificate hash or Application ID is blank or all zeros, delete the bad binding with netsh http delete sslcert ipport=0.0.0.0:443 and then re‑create the HTTPS binding in IIS.

These steps ensure the new certificate is correctly placed, trusted, and bound for use by the IIS site.

References:

• Troubleshooting SSL related issues (Server Certificate)
• HTTP Error 403.16 when you try to access a website that's hosted on IIS