Replace old SSL certificate in IIS6

Question

I have to update my SSL certificate for IIS6 on Windows 2003 Server. The vendor (Thawte) tells me that my Certificate Signing Request is non-resignable, which I take to mean that I need to generate a request for a brand new certificate. In the IIS Manager, however, as long as I have the current certificate installed, my only options are:

Renew the current certificate
Remove the current certificate
Replace the current certificate
Export the current certificate to a .pfx file
Copy or Move the current certificate to a remote server site

I thought that "Replace" would be the obvious option, but it doesn't give me the choice to create a new request to replace the current certificate; I can only choose between the already-installed certificates on the server. If I "Remove" the current certificate in order to request a new one, would that result in my clients being told immediately that my server was not secured? Or am I misunderstanding Thawte's documentation, and I really can Renew? I've renewed certificates in the past, and I can't imagine that there is no way at all to pull this off without disruption of "SSL secured" status. Thanks in advance.

RainyRat · Accepted Answer · 2009-06-23T17:48:44.623

I've tried to do the renewal-based-on-existing-cert thing before, and it's always resulted in a bit of a mess (it's been with Verisign in my case, but I can't imagine Thawte's process works much better, although I'm fully prepared to blame my own SSL ignorance at the time). Anyway, the way round this that we worked out is to:

Create a temprary site in IIS. Call it "SSL renewal" or something - it's never going to see the Internet, so it doesn't really matter.

Generate a CSR for the new site, using EXACTLY the same parameters as you did for your real site's cert; site name, org. info, key length, everything.

Go through Thawte's renewal process, supplying the shiny new CSR that you generated.

When you get the signed response back, process and install it on the temp. site. The certificate is now in the local computer account's cert store, so it can be seen by IIS - see where we're going with this?

Now that the new cert's installed, go into the real site's SSL properties and select "replace the current certificate". In the list of certificates to use, you should see your new one. Select it, and you're done. Feel free to delete the old one afterwards, and don't forget to back up your certificate and private key!

No problem - I wish this site had been around when I ran into this problem... — RainyRat, Jun 23 '09 at 17:48
Thanks for this post. Just what I needed and it worked great. — Hondalex, Oct 27 '09 at 21:04
This question came up as a suggestion when I started to write my own question on the topic, and this was my answer. — pjmorse, Mar 30 '11 at 18:57

score 6 · Answer 2 · edited Dec 04 '14 at 00:10

6

This KB in comodo website describes how to do it:

Basically you'll be re-creating your site in IIS and generating a request from that one. Then you delete it and replace the cert on your current site.

edited Dec 04 '14 at 00:10

masegaloeh

17,978
9
56
104

answered Jun 23 '09 at 17:01

MathewC

6,877
9
38
53

Thanks. Sorry, had to choose the more verbose answer, though they're both saying basically the same thing. – kcrumley Jun 23 '09 at 17:43
1

That sucks. I answered first. I could have cut and pasted the text online, but gave credit where it was due. – MathewC Jun 23 '09 at 17:48
Right, and if I'd chosen yours, I'd be valuing a slightly quicker response over a personal endorsement of the technique, with more effort put into it. Neither way is perfect. I gave you an upvote. – kcrumley Jun 23 '09 at 20:49

Replace old SSL certificate in IIS6

2 Answers2

Linked