How do I renew a Web Server certificate in Windows Server 2008?

Question

The SSL certificate for my web site just expired a few days ago, and I would like to renew it.

I originally issued it two years ago using my Windows 2008 Certificate Authority, and it's worked without a hitch in all that time, so I would like to renew the certificate as simply as possible to make sure that all the applications relying on that certificate continue to work.

I can open an MMC instance and add the Certificates snap-in for the Local Computer. I can find the relevant certificate under Personal, but I can't renew it.

When I select Renew certificate with new key I get the following message:

Web Server Status: Unavailable
The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
You do not have permission to request this type of certificate.

However, I can't understand this, as I'm logged on as a Domain Admin and I'm running the MMC instance in elevated mode.

I've checked the Web Server certificate template, and Domain Admins have the Enroll permission on this template.

FWIW, I also tried rebooting the server.

How can I renew the certificate?

score 6 · Accepted Answer · answered Apr 04 '10 at 22:47

It is not possible to renew an expired certificate. You will have to issue a new certificate.

Reference: http://technet.microsoft.com/en-us/library/dd378790(WS.10).aspx

You cannot renew a certificate that has already expired. If you try to renew a certificate that has expired, the certification authority (CA) will reject the request, and you will see an error message similar to "Error Verifying Request Signature or Signing Certificate. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." This message will also be displayed in the Failed Requests node of the issuing CA. If your certificate has already expired, you must request a new certificate instead of renewing the existing certificate.

Okay, thanks. How do I issue a new certificate from the local CA? I've completely forgotten how I did it last time around... — Mark Seemann, Apr 05 '10 at 14:37
and it looks like you can't renew self-signed anyway, but will always have to re-issue a new one. Fun! — Kara Marfia, Apr 05 '10 at 14:46

score 2 · Answer 2 · answered Mar 11 '14 at 16:56

2

You can renew from IIS manager under administration tools. Start IIS manager and then expand your node. Right click web sites and then choose properties. Click Directory security and then choose secure certification

answered Mar 11 '14 at 16:56

Chris

21
1

score 0 · Answer 3 · answered Apr 04 '10 at 21:12

0

I could be way off, but what I think you want is the certificate authority snap-in, rather than the local cert snap-in. I'd hope you could pull up and extend the cert from there. It makes more sense when you imagine a typical scenario where the issuing CA would be a different server than the one using the certificate.

answered Apr 04 '10 at 21:12

Kara Marfia

7,892
5
32
56

I can find the certificate from the Certificate Authority snap-in, but the only remotely relevant action I can take from there is revoking the certificate. – Mark Seemann Apr 04 '10 at 21:27

How do I renew a Web Server certificate in Windows Server 2008?

3 Answers3