Correcting CSR mistakes

Hello all,

Windows 2008 Server, IIS 7
I have an SSL certificate coming up for renewal.  I generated a renewal request in IIS 7, but VeriSign will not accept the CSR, saying it is an invalid format.  Can I use Create Certificate Request with the same parameters as last year?  If I generate a new CSR, how does IIS know which request I am attempting to complete when I install the certificate (since it will have 2 pending requests)?  Can I just delete the "bad" request using the Certificates MMC snap-in?
LVL 3
dactechsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ThorinOCommented:
Ya you can delete the bad request and request a new one. http://www.geocerts.com/csr/iis_renew_7
dactechsAuthor Commented:
Thanks for the reply ThorinO. I didn't state my problem very clearly.  The IIS 7 Renew apparently does not work if your CA is VeriSign. The generated CSR will be refused. Regardless, I now have 2 pending requests on my server, both of which I would like the server to completely forget about. I would like to know the steps to perform this task. Then, I do not know if simply creating a new CSR with the matching CN, OU, etc.will work for an expiring Certificate. I am hoping that it will, but I don't want to go there until I can start with a clean slate.
ShmoidSenior EngineerCommented:
To delete the pending requests launch the certificates snap-in (computer store) goto the "Certificate Enrollment Requests\Certificates" folder. Delete the two items you created and delete the .csr files from where ever you saved them.

Also, you should be able to renew with IIS7 and VeriSign. I've done it dozens of times. Could it be that one of the fields in your requrest does not exactly match what your accout specifies? You mentioned invalid format. Are you choosing Microsoft for Server Platform on the VeriSign page where you paste the CSR?

As you mention, you could just create a new CSR rather than use renew. It will work as long as every field matches exactly. No need to worry about the old cert. Just install the new one. Bind it in IIS (and any other web apps that might use the cert if applicable) and then delete the old one. You can even leave the old one in place.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.