When renewing certificates in IIS, one thing to remember is to ensure that all port bindings also have a certificate assigned to them. You may import a new valid certificate into IIS and remove the old one but, if the old certificate was assigned to a currently used port binding on one of your sites it may still try to use the old certificate, causing security issues for your sites.

In order to check the above is set up properly, there’s a helpful command you can run. In PowerShell, you can run the following command:

netsh http show sslcert

This will show you all SSL certificates currently assigned to any ports, helping you to check that the correct certificates are bound to the correct ports.

This also works with IP addresses and individual ports too. If you’re looking to narrow your troubleshooting you can try the following using any IP address and any port:

netsh http show sslcert ipport=0.0.0.0:443