We help IT Professionals succeed at work.

Correcting CSR mistakes

Hello all,

Windows 2008 Server, IIS 7
I have an SSL certificate coming up for renewal.  I generated a renewal request in IIS 7, but VeriSign will not accept the CSR, saying it is an invalid format.  Can I use Create Certificate Request with the same parameters as last year?  If I generate a new CSR, how does IIS know which request I am attempting to complete when I install the certificate (since it will have 2 pending requests)?  Can I just delete the "bad" request using the Certificates MMC snap-in?
Comment
Watch Question

Commented:
Ya you can delete the bad request and request a new one. http://www.geocerts.com/csr/iis_renew_7

Author

Commented:
Thanks for the reply ThorinO. I didn't state my problem very clearly.  The IIS 7 Renew apparently does not work if your CA is VeriSign. The generated CSR will be refused. Regardless, I now have 2 pending requests on my server, both of which I would like the server to completely forget about. I would like to know the steps to perform this task. Then, I do not know if simply creating a new CSR with the matching CN, OU, etc.will work for an expiring Certificate. I am hoping that it will, but I don't want to go there until I can start with a clean slate.
Senior Engineer
Commented:
To delete the pending requests launch the certificates snap-in (computer store) goto the "Certificate Enrollment Requests\Certificates" folder. Delete the two items you created and delete the .csr files from where ever you saved them.

Also, you should be able to renew with IIS7 and VeriSign. I've done it dozens of times. Could it be that one of the fields in your requrest does not exactly match what your accout specifies? You mentioned invalid format. Are you choosing Microsoft for Server Platform on the VeriSign page where you paste the CSR?

As you mention, you could just create a new CSR rather than use renew. It will work as long as every field matches exactly. No need to worry about the old cert. Just install the new one. Bind it in IIS (and any other web apps that might use the cert if applicable) and then delete the old one. You can even leave the old one in place.