How do I generate a new CSR without losing the current SSL cert in IIS?

In the last year, my organization has changed the way we get certificates from Verisign.  I can no longer renew my existing certificates, instead I must replace them.  (Our organization's name changed slightly.)

I have a web site in which the SSL cannot go off line for an extended period of time.  (It often takes my PKI admin a day or two to process a cert request.)  

How can I generate a new CSR for this web site and process it without taking the current SSL certificate offline?

This is a Windows 2003 server running IIS 6.
mdrappAsked:
Who is Participating?
 
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
Create a dummy site and create the request from there with the production name.  Install it there and then export including private key to .pfx file.  When you are ready to install to prod then import that .pfx file into prod site.  Note that you will need to reboot afterwards.
0
 
Shreedhar EtteCommented:
Hi,

Refer this article:
http://www.geocerts.com/csr/iis_6

Hope this helps,
Shree
0
 
mdrappAuthor Commented:
That article is great if I don't have a certificate already in place.  What I need to do is create a new CSR for a new certificate while keeping the currently installed certificate working and then replace it later.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Shreedhar EtteCommented:
That's correct.
0
 
Springy555Commented:
You can generate a CSR while keeping an existing certificate in place.

If you go to the 'Directory Security' tab for your website, clikc the Server Certificate button.  Select to renew the current certificate, and then choose to preperate the request now, but send it later.

You will then be prompted for a location to save the CSR txt file to.

This won't affect the current certificate, and the CSR will contain the exact same details as your previous certificate (eg domain name, organisation name etc).  You can then send this CSR to any other cert authority who will give you a new cert.
0
 
mdrappAuthor Commented:
That's the problem, I need the "renewal" request to contain different information.  Everything is the same except my organization name has changed.
0
 
Springy555Connect With a Mentor Commented:
In IIS5, you can change details such as common name by clicking the back button once it prompts you for a location to save the CSR.

With IIS6 this doesn't happen.  Create a temporary website (doesn't matter about website name, ip address or host headers) and generate a CSR request from here using the correct details.

When you are sent the cert, you can then install it on the server and replace the previous cert associated with the website with this new one.  There won't be any downtime, and you won't need to reboot the server.
0
 
mdrappAuthor Commented:
That was the answer:  using a temporary web site to do the new CSR and export the new cert!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.