One of our Windows 2008 IIS 7.0 webservers had an SSL certificate on it that we renewed.  I thought I had it taken care of: I had generated the request, we submitted it to the authority, paid for it, received the new certificate and completed the request.  All good.  Right?  Wrong.  

The old certificate expired and the server was still using it, so users were getting "certificate expired" messages warning them to continue at their own risk.  Not good.  I checked IIS Manager, selected the server, selected Server Certificates and saw both certificates listed with the old one on top.  Ok, fine, I clicked remove for the old one, stopped and started IIS, and had my user test it.  The user confirmed we're good.  ...Except we're not.  

Later, I received an email from another user reporting the same problem.  I looked into it again and found that the server was still serving out the old certificate!  Thinking it might have been cached in my browser, I cleared everything out, but it was STILL serving the old certificate.  In retrospect I think I now know what caused the problem, but my next move probably exasperated the situation: I removed the new SSL certificate.  No SSL certificates installed on the server, but, again, it was still serving out the old cert.

But wait, it got worse.  I try to re-request a certificate from the web server and install the certificate from the authority.  Error message: CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267).  Crud.  But thanks to Google and "chaun" on the Microsoft blogs at http://blogs.msdn.com/b/webtopics/archive/2009/01/03/asn1-bad-tag-value-met-error-when-processing-a-certificate-request-in-iis-7.aspx, I was able to locate his very helpful solution #2 and re-install the certificate.  Hooray!

In some other search results I noticed that the SSL certificate needed to be rebound to port 443.  This is probably all I really needed to do before instead of removing certs, but I wasn't aware of that at the time.  And IIS 7 handles SSL Certificates different than previous versions I was familar with.  I guess I thought IIS would have handled this, but no, it doesn't.  So.  In IIS Manager, I navigated to the site, clicked bindings, located https, clicked edit, selected the SSL certificate, and OK'ed/Closed my way out of the wizards.

And that is how I spent a good part of my morning today.  I look forward to reviewing this next year!