13

One of my SSL certificates (simple domain verification only) is about to expire on windows 2003 IIS 7.0 server.

I got better offer from another vendor, and the guys who originally issued my certificate do not want to negotiate lower prices.

Anyway - going trough the certificate wizard in IIS, I have the option to "renew" or to "uninstall" and then install a new certificate.

So - can I use the "renew" option to create a certificate request and pass this to the new vendor, or I need to start with "new" request? Will it matter for the new vendor, that the previous certificate was issued by another signer?

The problem is, that I do not want to stop the server (the secured part at least) because of removing the old certificate and creating new CSR, and wait for the new certificate to install.

Or, is there an option to prepare a new CSR without removing the old certificate?

Sunny
  • 5,722
  • 3
  • 21
  • 24

3 Answers3

7

Renewing a certificate allows you to keep the same public and private key while updating the expiration date for the certificate. The advantage to this is if you had to store the thumbprint on a router or something. I believe that the same issuing CA is required for renewing a request so it may just be easier to generate a new request by hand.

To generate a new request without blowing IIS up

You can create the certificate request manually and submit that. Once you get the new certificate you can then just switch the cert that IIS7 is looking for. How to create a web server SSL certificate manually.

The simple gist of the process is you will create an inf file with the required information, run certreq -new file.inf file.req. Once you have the request file you can submit that to the CA you want to issue your certificate, then accept the public key they send you with the command certreq -accept file-from-ca.req

Example request.inf

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=fully.qualified.domain.name, OU=Organizational Unit, O=Company, L=City, S=State, C=Country"
KeySpec = 1
KeyLength = 2048
HashAlgorithm = SHA256
Exportable = FALSE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
RequestType = PKCS10
KeyUsage = 0xa0
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
FriendlyName = ""

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[RequestAttributes]
CertificateTemplate = WebServer

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=&"
_continue_ = "DNS="

The above example inf is one I use internally for my own CA but can be adapted to work for most environments. You can set Exportable to TRUE if you want to be able to archive your key. The FriendlyName is completely optional and the Extensions section is for using alternate DNS names (Subject Alternative Names).

An example of a SAN entry would be:

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=example.com&"
_continue_ = "DNS=www.example.com&"
_continue_ = "DNS=secure.example.com"

That would allow you to use the same certificate with the three above sites without it complaining that there is a name mismatch (on modern browsers - I don't think IE6 understands it). It is important that you include the fully qualified domain name (the CN of the subject line) in the SAN if you set that up. You can completely remove the extensions area as well if you have no need for multiple domain names (also, some CAs may not support it).

The process

Once you have the above information saved (I know it is a lot). Follow these steps:

  1. Open a command prompt and cd to the directory where you saved the above inf.
  2. Run certreq -new above.inf request.req
  3. Submit the request.req file to your CA. They will process it and approve/decline it.
  4. When they approve it they should send you back your public key in a .cer file.
  5. Run certreq -accept file-from-ca.cer to finish setting up the key.

Good luck!

Edit

The full syntax for certreq and the inf file can be found at Appendix 3: Certreq.exe Syntax (Windows Server 2003 SP1). The FriendlyName and HashAlgorithm are Server 2008 (and R2) only. You can view a list of supported cryptographic providers by running the command certutil -csplist and looking at the output. A current Windows 2003 SP2 box does have the "Microsoft RSA SChannel Cryptographic Provider" listed as an available provider so make sure that your file has the quotes properly set and that entry is on one line only (no wrapping or multi-lines).

You can also change out ProviderName to ProviderType and use the number provided by the output of certreq -csplist.

In this case I get the following output:

Provider Name: Microsoft RSA SChannel Cryptographic Provider
Provider Type: 12

So I can either use

ProvderName = "Microsoft RSA SChannel Cryptographic Provider"

or

ProviderType = 12
Joshua
  • 1,546
  • 1
  • 13
  • 16
  • Thanks. How do I prepare it manually? – Sunny Sep 22 '09 at 14:17
  • Also - still the pending question - does it matter for the "renew" that the certificate will be issued by a new vendor? – Sunny Sep 22 '09 at 14:20
  • As far as I know a renew requires the same issuing CA to send you the refreshed certificate since a renew keeps the same public and private key. A different CA will have a different key set to sign with, and so your public/private key pair will be different. – Joshua Sep 22 '09 at 14:22
  • Joshua, it reports this: Certificate Request Processor: The data is invalid. 0x8007000d (WIN32: 13) mycert.inf(HashAlgorithm = "SHA256"). Are you sure this should work? In the orig. article you linked to, there's no such a setting. – Sunny Sep 22 '09 at 16:33
  • I removed HashAlgorithm and FriendlyName settings (as it complained about them) and no I get: Certificate Request Processor: Provider type does not match registered value. 0x8009001b (-2146893797). Too bad. – Sunny Sep 22 '09 at 16:37
  • Is this Server 2003 IIS6 or Server 2008 IIS7? – Joshua Sep 22 '09 at 17:21
  • Please see the edit section for more information. – Joshua Sep 22 '09 at 17:38
  • BTW, this works great if you need to update any SHA-1 certs to SHA-2. Used it and worked flawlessly. – Valien Nov 07 '14 at 18:50
7

You only need to create a temporary website with IIS 6.0. IIS 7.0 allows you to create multiple pending requests at a time.

IIS 7.0 actually has a bug that causes the renew function to generate a CSR with a very large key (much larger than you want). Because of this, it is recommended that you create a new pending request instead of selecting the renew option. Once installed you simply switch the SSL binding on the website and you won't have any downtime. This also allows you to generate a new key every time you renew which increases security.

The certificate provider (CA) doesn't care whether you use the new option or the renew option and you could use either option whether you are staying with the same CA or ordering from a new one.

Robert
  • 1,575
  • 7
  • 7
1

OK, to partially answer my own question - the part of creating/using a new certificate without removing the existing one (i.e. without stopping the server), I found a good description on Comodo website - basically I need to create a "temporary" website on the server, and use it to create a new CSR, send it for signing, and receive and import the certificate.

Then on my main (real) site I need to replace the current certificate, and then delete the temp one.

Sunny
  • 5,722
  • 3
  • 21
  • 24