• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1998
  • Last Modified:

Renewing SSL certificates

I would like to apologize in advance, I am new at this.  We have Verisign SSL certificates and are changing to RSA.  Because we are changing providers I did not think doing a normal renew in IIS was the correct method.  I obviously dont know for sure.  
Ok, the problem is on a production site that already has a cert.  I dont want to disturb a production site to start the cert request process.  But, when I go into IIS, since I have a valid cert, I do not see the option I want to see (I think it says create cert).  
So anyway what I did last time to prevent disruption is exported the certs (mmc  certificates) to a file but I dont remember details of file extension.   Deleted the cert in IIS.  Then I saw the option I wanted to see to start the cert request process.  Got the text file / private key text whatever it is.  Then I cancelled out the install pending request so I could import in the live production cert again so the site was actually only without SSL for 5 minutes.  
OK, the problem.  Clearing out the install pending request so I could re-import my current cert while I was waiting for my renewed cert apparently wipes out my private key.    Meaning when I finally get the renewed cert, renew/replace in ISS and then view the cert, everything looks OK except I do not see the private key at the very bottom and SSL is not working.  Meaning http is fine but https prompts.
Can someone point out some of the things I am doing incorrectly or share you experiences on how to do this the correct way.
Thanks in advance.
1 Solution
Did you export your certificate private key to the file before deleting the certificate? You should have selected some extra options when exporting to do that. If you didn't the private key is probably lost and it will not work until you get the new certificate.

The renewal and installation of new certificates can be done in IIS manager -> Web site properties -> Directory security -> Server certificate. You should be able to click that even when you have a certificate installed.
The easy way is to create a new web site.

Use it to generate the new certificate request and bind the certificate to the private key when you get it.

Then all you have to do is assign the new certificate to the old site.

You can also recover from deleting the pending request using CertUtil:

    How to install a server certificate after a pending request has been deleted in IIS 5.0

The article says IIS 5.0 but works just as well on IIS 6.0.

Dave Dietz
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now