• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2678
  • Last Modified:

Correcting CSR mistakes

Hello all,

Windows 2008 Server, IIS 7
I have an SSL certificate coming up for renewal.  I generated a renewal request in IIS 7, but VeriSign will not accept the CSR, saying it is an invalid format.  Can I use Create Certificate Request with the same parameters as last year?  If I generate a new CSR, how does IIS know which request I am attempting to complete when I install the certificate (since it will have 2 pending requests)?  Can I just delete the "bad" request using the Certificates MMC snap-in?
0
dactechs
Asked:
dactechs
2 Solutions
 
ThorinOCommented:
Ya you can delete the bad request and request a new one. http://www.geocerts.com/csr/iis_renew_7
0
 
dactechsAuthor Commented:
Thanks for the reply ThorinO. I didn't state my problem very clearly.  The IIS 7 Renew apparently does not work if your CA is VeriSign. The generated CSR will be refused. Regardless, I now have 2 pending requests on my server, both of which I would like the server to completely forget about. I would like to know the steps to perform this task. Then, I do not know if simply creating a new CSR with the matching CN, OU, etc.will work for an expiring Certificate. I am hoping that it will, but I don't want to go there until I can start with a clean slate.
0
 
ShmoidCommented:
To delete the pending requests launch the certificates snap-in (computer store) goto the "Certificate Enrollment Requests\Certificates" folder. Delete the two items you created and delete the .csr files from where ever you saved them.

Also, you should be able to renew with IIS7 and VeriSign. I've done it dozens of times. Could it be that one of the fields in your requrest does not exactly match what your accout specifies? You mentioned invalid format. Are you choosing Microsoft for Server Platform on the VeriSign page where you paste the CSR?

As you mention, you could just create a new CSR rather than use renew. It will work as long as every field matches exactly. No need to worry about the old cert. Just install the new one. Bind it in IIS (and any other web apps that might use the cert if applicable) and then delete the old one. You can even leave the old one in place.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now