Certificate is valid however, sites using it receiving ERR_SSL_PROTOCOL_ERROR

Running Certify SSL/TLS Certificate Manager 5.6.4.0 on Windows Server 2016 Standard.

My SSL appears 100% valid however, when trying to navigate to the site itself, I receive an error message of: ERR_SSL_PROTOCOL_ERROR.

SSL Check: SSL Checker

Site: https://mail.northrivercpr.com

Might just be your browser if nothing else shows a problem. I don’t see anything wrong.

Hi, I did have a look at your site but I can’t see any particular issues. Is this happening on a particular browser or particular operating system? Clearly it does work but there could be certain combinations that don’t (like old operating systems).

Protocol errors suggest that the client (your browser) can’t talk to the server. I note that your certificate RSA keysize is 4096, and you have many subject alternative names on the same certificate, that’s the only [slightly] unusual thing I can see. Basically, your certificate is fine but your client software/OS may not be.

@jljtgr you are correct, I was able to resolve this an hour or so after posting but didn’t have a chance to update here.

@webprofusion changing the RSA key size to 4096 is ultimately what resolved my issue. Previously it was set to the default and that was causing newer browsers to not accept the certificate as valid for some reason. With respect to the large number of SAN’s that is because it is being used for SmarterMail which is a single IIS site with multiple bindings for each mailbox.

Thank you all for your replies, ultimately updating the RSA Key Size to 4096 was my final resolution.

Interesting! We default to 2048 (and have done for years), this is the first time I’ve heard of 4096 being required to get something to work so will look out for it in the future.

hi totalbsroc, i’m facing the same issue , could tell me how to change the RSA key size please ?

Hi, edit your managed certificate setting in Certify The Web , go to the Certificate tab, and under Advanced > Signing & Security, choose your preferred CSR key type. You will then need to click “Request Certificate” again to get the new certificate.