This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 33%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBM%3C/text%3E%3C/svg%3E)
I built out the website in IIS. When I go to the webpage the page itself shows up, but I am getting the icon for saying the URL is 'Not secure' even though I am using a https based URL. The icon itself is next to the URL and where the site information icon usually is. I do not getting the page itself saying it isn't secured with the typical option to continue forward. I do have a cert attached to the site. The cert is set up as the same as the one in Prod. Only real difference is this server is 2022 as where Prod is 2016. I even copied in the applicationHost and web.config from Prod as part of setting up the new server.
A set of technologies in .NET for building web applications and web services. Miscellaneous topics that do not fit into specific categories.
The answer was something incredibly random. I did a OS update for my Citrix environment for a separate issue, and that's what resolved the unsecured showing.
I'm not finding a private key for either Prod or Test so I must not be looking at the right spot. I'm not seeing where the TLS version is defined. The only version I see looking at the site info via the one icon is version 3 and it's the same for Prod and Test.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 1%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
Hi @Brown, Matt ,
Thanks for your feedback.
For the private key, open IIS Manager -> server name -> Server Certificates, then open the certificate and confirm it shows “You have a private key that corresponds to this certificate.”
Regarding TLS, the “version 3” you’re seeing in the site info is likely HTTP/3, not the TLS version. TLS isn’t defined at the site level in IIS; it’s negotiated per connection. You’ll want to compare the negotiated TLS protocol and cipher for Prod vs Test in the browser’s connection/security details rather than IIS itself.
If both look identical, the next step would be to compare the server-wide TLS/cipher configuration between Prod and Test, as that’s where Server 2022 differences usually show up.
Hi @Brown, Matt ,
Thanks for reaching out.
If the site is loading over HTTPS but the browser still shows “Not secure” in the address bar, that usually means the TLS connection is working, but the browser doesn’t fully trust something about it. If you click the “Not secure” indicator (or the lock icon) in the browser’s address bar, the browser will usually tell you what it doesn’t trust, which can help narrow down the cause quickly.
A few common things I’d suggest checking:
Certificate trust chain
Even if the same certificate works fine in Prod, the new Server 2022 machine may be missing one of the intermediate or root certificates. Browsers require the full chain to be present and trusted.
Certificate name mismatch
Double-check that the certificate’s CN or SAN exactly matches the URL you’re browsing to.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 32%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
https://site vs https://site.domain.comMixed content
If the page itself is HTTPS but it’s loading scripts, images, or CSS over HTTP, browsers will downgrade the security indicator.
TLS / cipher differences on Server 2022
Server 2022 has stricter TLS and cipher defaults compared to 2016.
IIS bindings / SNI
It’s also worth rechecking the HTTPS binding in IIS:
Since you’re not seeing a full-page certificate warning, that’s actually a good sign. The connection is being established securely, but something (most often a missing intermediate cert or mixed content) is preventing the browser from marking it as fully trusted.
Hope this helps! If my answer was helpful - kindly follow the instructions here so others with the same problem can benefit as well.
I click on the icon and it says 'Your connection to this site isn't secure.' The cert is shown as being valid. It is not It is the same one in prod. I am using the same cert in Test before the server was upgraded from 2016 to 2022.
Cert chain for both Prod and Test are the same. CN looks to be correct. I get no messages about mixed content.
Hi @Brown, Matt ,
Thanks for confirming. Since the cert is valid, the chain matches Prod, the CN/SAN is correct, and there’s no mixed content, this likely isn’t a certificate issue.
Given the only real change is Server 2016 -> 2022, the most likely causes are TLS/cipher negotiation differences or an IIS binding/SNI issue after the upgrade. At this point, I’d recommend re-verifying the HTTPS binding (hostname and SNI), confirming the certificate is properly associated with its private key, and ensuring the connection is negotiating TLS 1.2 or newer.
If the issue persists, comparing the negotiated TLS details between Prod and Test side-by-side usually exposes the difference very quickly.
Hope this helps narrow it down.
What are the bes ways of doing those things?
Hi @Brown, Matt ,
You can approach it like this:
If my answer was helpful - kindly follow the instructions here so others with the same problem can benefit as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
SSL certificates include the domain name. This match the domain in the url. Unless the test server has the same url (say you are using localhost to override) as production the certificate will not work.
the test need it on certificate based on its domain name. Generally you will to buy this certificate. You can use a self signed, but the the self signed certificate needs to be added as trusted to every client.
The issue you are experiencing, where the site is deemed 'Not secure' despite having a certificate and using an HTTPS URL, can be caused by several factors. Here are some troubleshooting steps you can take:
netsh http show ssl to check the SSL configuration. Make sure the certificate hash is correctly registered and is not NULL or an invalid GUID.By following these steps, you should be able to identify and resolve the issue causing the site to be marked as 'Not secure'.
References: