Certificate is valid however, sites using it receiving ERR_SSL_PROTOCOL_ERROR

Running Certify SSL/TLS Certificate Manager 5.6.4.0 on Windows Server 2016 Standard.

My SSL appears 100% valid however, when trying to navigate to the site itself, I receive an error message of: ERR_SSL_PROTOCOL_ERROR.

SSL Check: SSL Checker

Site: https://mail.northrivercpr.com

Might just be your browser if nothing else shows a problem. I don’t see anything wrong.

Hi, I did have a look at your site but I can’t see any particular issues. Is this happening on a particular browser or particular operating system? Clearly it does work but there could be certain combinations that don’t (like old operating systems).

Protocol errors suggest that the client (your browser) can’t talk to the server. I note that your certificate RSA keysize is 4096, and you have many subject alternative names on the same certificate, that’s the only [slightly] unusual thing I can see. Basically, your certificate is fine but your client software/OS may not be.

@jljtgr you are correct, I was able to resolve this an hour or so after posting but didn’t have a chance to update here.

@webprofusion changing the RSA key size to 4096 is ultimately what resolved my issue. Previously it was set to the default and that was causing newer browsers to not accept the certificate as valid for some reason. With respect to the large number of SAN’s that is because it is being used for SmarterMail which is a single IIS site with multiple bindings for each mailbox.

Thank you all for your replies, ultimately updating the RSA Key Size to 4096 was my final resolution.

Interesting! We default to 2048 (and have done for years), this is the first time I’ve heard of 4096 being required to get something to work so will look out for it in the future.

hi totalbsroc, i’m facing the same issue , could tell me how to change the RSA key size please ?

Hi, edit your managed certificate setting in Certify The Web , go to the Certificate tab, and under Advanced > Signing & Security, choose your preferred CSR key type. You will then need to click “Request Certificate” again to get the new certificate.

Same issue here, with the same solution of setting RSA keysize to 4096. I think CertifyTheWeb should consider making this the default for Windows Server/IIS since it’s apparently causing a lot of pain for users right out of the box. I’m really glad I found this post, because I was running out of ideas before I just gave up on this program.

Thanks, we’ve definitely not heard of frequent problems with the RSA key size (your comment on this thread is the second time it’s been reported and we have hundreds of thousands of active users). It’s more frequently a problem when the default is an ECDSA key and changing to RSA fixes it.

Can you point to something that says RSA 4096 is required for some browser or software?

For anyone looking to use a different key type/size by default you can change this under Settings, or you can set per-managed certificate preferences under Certificate > Advanced > Signing & Security.