So I have a server that was used by someone else to run the same website for a while. At some point, the previous developers installed an SSL certificate that expired in 7 days.
When I came in, I removed any forced SSL option from the IIS websites, because it is just a testing-site, so I don't think SSL is needed.
Anyway, the host sent an email regarding security vulnerabilities in their server, and they copy-pasted some sort of application scan results, one of the vulnerabilities they mentioned is "expired certificate", "force SSL", and "upgrade to SSL 3 from 2".
To me, I don't think I need SSL, so how can I disable it in IIS, so that these server admins don't continue to send me email to activate it.
Best Answer
You can disable SSL by removing the certificate from the web site.
On the web site, right click it and hit "Properties". On the "Directory Security" tab, click "Server Certificate..". Click next, then "Remove the current certificate" in the radio list, then click Finish.
That will remove the SSL certificate from the site. The last thing is to close 443 (or whatever SSL port you were using) on your firewall if you don't anticipate needing SSL requests.
Note that it is entirely possible for your hosting company to send another email that says "It appears your site isn't configured for SSL".