When an administrator attempts to manually assign an Secure Sockets Layer (SSL) certificate to a Site Server Communication Profile within the Symantec Management Platform (SMP) Console, the UI allows the user to select the certificate and click "OK." However, after clicking "Save Changes" or navigating away, the certificate assignment disappears and does not persist. A persistent "Red Warning" remains visible in the console indicating that a required certificate is missing from the Site Server profile.

This behavior is most frequently encountered following a server migration, an infrastructure upgrade, or in environments where multiple certificates share identical or highly similar Subject Names within the configuration database.

Administrators may observe one or more of the following symptoms:

• An SSL certificate can be selected from the Site Server Communication Profile certificate picker.
• After clicking OK and saving the profile, the certificate selection is cleared.
• The Site Server Communication Profile displays a warning indicating that no valid SSL certificate is configured.
• Multiple certificates with similar subject names appear in the certificate picker.

IT Management Suite (ITMS) 8.7.x, 8.8.x

The configuration failure occurs due to a strict validation mechanism enforced by the Symantec Management Platform. When an administrator updates a Site Server Communication Profile, the SMP verifies the certificate's unique cryptographic thumbprint against the actual Hypertext Transfer Protocol Secure (HTTPS) bindings deployed on the remote Site Server. If the selected certificate's thumbprint does not match the active Internet Information Services (IIS) binding on Port 443 for that specific Site Server, the configuration database rejects the assignment to prevent communication failures, and the console UI drops the selection without throwing an explicit error.

The selected certificate does not match the SSL certificate currently bound to the Site Server's IIS HTTPS binding.
Symantec Management Platform validates the certificate using the certificate thumbprint. If the selected certificate thumbprint differs from the thumbprint configured in IIS, the certificate assignment is rejected and is not saved in the Communication Profile.

This can occur when:

• Multiple certificates exist with identical or similar subject names.
• A certificate was renewed and both old and new certificates remain installed.
• An incorrect certificate is selected from the certificate picker.

Note: The certificate picker may display multiple certificates with similar names. Always validate the certificate thumbprint rather than relying on the certificate subject name.

Diagnostic Validation

Verify IIS SSL Binding Using Command Line

Run the following command from an elevated Command Prompt:

netsh http show sslcert

Example output:

IP:port                 : 0.0.0.0:443
Certificate Hash        : <Certificate Thumbprint>

The Certificate Hash should match the thumbprint of the certificate selected in the Site Server Communication Profile.

Verify Installed Certificates Using PowerShell

Run the following PowerShell command:

Get-ChildItem Cert:\LocalMachine\My |
Select Subject, Thumbprint

Review the output and identify certificates with similar subject names. Ensure the certificate selected in the Communication Profile matches the thumbprint configured in IIS.

Support Guidance

To resolve this, you must ensure that the certificate selected in the SMP Console matches the thumbprint of the certificate actively used by the Site Server's IIS.

Step 1: Identify the Certificate Bound in IIS

1. Open Internet Information Services (IIS) Manager.
2. Expand Sites.
3. Select the Site Server website.
4. Click Bindings... from the Actions pane.
5. Select the https binding (Port 443).
6. Click Edit.
7. Record the certificate currently assigned to the HTTPS binding:
   1. Click View... to open the certificate.
   2. Go to the Details tab, scroll down to Thumbprint, and copy the hexadecimal string.

Step 2: Verify the Certificate Thumbprint

1. Open Settings > All Settings > Notification Server > Site Server Settings > Communication Profiles.
2. Edit the affected Site Server Communication Profile.
3. Open the SSL certificate picker.
4. Locate the certificate currently bound in IIS.
5. Compare the certificate thumbprint shown in IIS with the thumbprint shown in the certificate picker.
   NOTE: When adding the certificate, do not rely on the "Subject Name" alone. Compare the Thumbprint column in the picker to the value copied in Step 1
6. Select the certificate whose thumbprint exactly matches the IIS binding certificate.

Step 3: Save the Communication Profile

1. Click OK.
2. Save the Communication Profile.
3. Reopen the profile and confirm the certificate remains selected.

Validation

Use the following checklist to confirm the issue has been resolved:

Additional Information

The certificate picker displays certificates available to the platform. Validation occurs when the Communication Profile is saved.

If the selected certificate does not match the certificate currently configured in the IIS HTTPS binding, SMP prevents the configuration from being saved to avoid an invalid SSL communication configuration.

When multiple certificates have similar subject names, always use the certificate thumbprint as the authoritative identifier.