Thursday, 9 September 2010

Generate Certificate Signing Request in Microsoft IIS 6.0 without removing the current certificate

Problem

Change CSR information without losing the current certificate
Generate CSR without overwriting the current certificate
Create renewal CSR with changes

Resolution

This article describes how you can create a new Certificate Signing Request (CSR) or generate a Renewal Request without having to remove the existing certificate from your web site.

 
 

To Generate Certificate Signing Request in Microsoft IIS 6.0 without removing the current certificate, requires you to do the following: 

 
 

A. Generate a temporary web site.

 
 

NOTE:  When you create the temporary web site, you do not need to assign an IP address and port number. You only have to give it read and write permissions and create a temporary folder in your hard drive and save it there.


B. Generate the pending request and CSR on the Temporary web site.

C. After receiving the certificate, install the certificate to the Temporary web site.

D. On the actual web site, replace the certificate with the newly installed certificate.

 
 

Instructions for 'work around': 

 
 

1. In IIS right click the Default Web Site and click on New --> Web Site

 
 

2. Create a new site. You can give it a temporary name. 

 
 

3. Right click on this new site and go to Properties --> Directory Security --> Server certificate

 
 

4. Select Create a new certificate and follow the wizard to create a new CSR

 
 

5. Backup the Private Key file. Very important: if no backup is made and the Private Key is lost, the certificate issued will not work.

 
 

Although a new csr was generated, you are still required to go through the normal renewal process with that new csr. 

 
 

6. When you receive the certificate back, right click on this temporary site and go to Properties --> Directory --> Security --> Server certificate and follow the wizard to process the pending request.

 
 

7. Once the certificate has been installed, go to the correct website and right click Properties --> Directory Security --> Server certificate.

 
 

8. Select the option Replace the current certificate

 
 

9. You will then be able to select the certificate that you have just installed. 

 
 

10. Once installed we strongly advise you to make a backup of your certificate with its corresponding private key. 

11. You can now delete the temporary site that you created previously. 

 
 

The official Microsoft article explaining this process can be found at Microsoft Knowledge Base Article: "How To Renew or Create New Certificate Signing Request While Another Certificate Is Currently Installed" utilizing this URL: http://support.microsoft.com/kb/295281


 

No comments:

Post a Comment