6

The SSL certificate for my web site just expired a few days ago, and I would like to renew it.

I originally issued it two years ago using my Windows 2008 Certificate Authority, and it's worked without a hitch in all that time, so I would like to renew the certificate as simply as possible to make sure that all the applications relying on that certificate continue to work.

I can open an MMC instance and add the Certificates snap-in for the Local Computer. I can find the relevant certificate under Personal, but I can't renew it.

When I select Renew certificate with new key I get the following message:

Web Server Status: Unavailable
The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
You do not have permission to request this type of certificate.

However, I can't understand this, as I'm logged on as a Domain Admin and I'm running the MMC instance in elevated mode.

I've checked the Web Server certificate template, and Domain Admins have the Enroll permission on this template.

FWIW, I also tried rebooting the server.

How can I renew the certificate?

Mark Seemann
  • 193
  • 1
  • 2
  • 6

3 Answers3

6

It is not possible to renew an expired certificate. You will have to issue a new certificate.

Reference: http://technet.microsoft.com/en-us/library/dd378790(WS.10).aspx

You cannot renew a certificate that has already expired. If you try to renew a certificate that has expired, the certification authority (CA) will reject the request, and you will see an error message similar to "Error Verifying Request Signature or Signing Certificate. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." This message will also be displayed in the Failed Requests node of the issuing CA. If your certificate has already expired, you must request a new certificate instead of renewing the existing certificate.

Skyhawk
  • 14,149
  • 3
  • 52
  • 95
2

You can renew from IIS manager under administration tools. Start IIS manager and then expand your node. Right click web sites and then choose properties. Click Directory security and then choose secure certification

Chris
  • 21
  • 1
0

I could be way off, but what I think you want is the certificate authority snap-in, rather than the local cert snap-in. I'd hope you could pull up and extend the cert from there. It makes more sense when you imagine a typical scenario where the issuing CA would be a different server than the one using the certificate.

Kara Marfia
  • 7,892
  • 5
  • 32
  • 56
  • I can find the certificate from the Certificate Authority snap-in, but the only remotely relevant action I can take from there is revoking the certificate. – Mark Seemann Apr 04 '10 at 21:27