Bug in IIS 7.5 (W2K8R2): Unable to bind a wildcard SSL certificate to IIS website unless marked exportable

Note:  This is a cross-post of a thread with the same subject line in the TechNet Windows Server/Security forum, per advice of one of the respondents.

Environment:

• Server: Windows Server 2008 R2
  • Clean install (i.e., not an upgrade); enable IIS
• Certificate: Wildcard SSL certificate (in this case, from DigiCert)
  • Install *.domain.com certificate per vendor instructions; mark as exportable (used W2K3 OS)
  • Export a star_domain_com.pfx file (to be used below in W2K8R2 environment)

Steps to reproduce problem:

1. Log in as administrator on W2K8R2 server
2. Double-click on star_domain_com.pfx to launch Wizard; complete Wizard marking leaving the “exportable” option unchecked.
3. Ensure that the Certificate is properly installed (including all intermediate certificates, either manually or by using the vendorCertificate Utility
4. Create a new website, site1.domain.com, using IIS Manager (i.e., “Add Web Site…” and fill in site name, content directory, host name, etc. … in my case, I started by creating the site with a HTTP, port 80, binding)
5. Add SSL binding to the site , using “Edit Site” (i.e., “Bindings…”, “Add…” with parameters HTTP, All Unassigned IP addresses, Port 443, and SSL certificate *.domain.com)
   • This generates the “Add Site Binding” error: “There was an error while performing this operation. Details: A specified login session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)”
6. Unable to associate certificate with this binding.

Work-around: First REMOVE the certificate using IIS Manager (i.e., select “Server Certificates” and take the “Remove” action), then follow the same steps above, EXCEPT in Step 2, mark the certificate as “exportable” then

5. Add SSL binding (i.e., as above but without getting the error)
6. Use “appcmd” to add the host header mapping:
   appcmd set site /site.name:site1 /bindings.[protocol='https',bindingInformation='*:443:'].bindingInformation:*:443: site1.domain.com
7. Verify the installation (e.g., using vendor website)

Primary concern with work-around: One of the problems with the work-around is that the certificate is now exportable by anyone who has access to this server … this is not a “security best practice” for wildcard certificates.

Please also see additional activity on the original TechNet post.