Solved

Replacing SSL certificate on Windows 2003 IIS 6

Posted on 2014-09-13
10
582 Views
Last Modified: 2014-09-18
I recently added a new SAN to my certificate and now want to place the new certificate on my server. I need to get the CSR from my server to complete the re-key and install but am having issues with getting the CSR. My issue is this when I go to the Server Certificate wizard there isn't a choice to install a new certificate but 5 choices : Renew, Remove, Replace, Export or copy and move so I assume it is Replace but when I go to replace a certificate it shows me 8 different certificates and all of them do not have the expiration date of my currently active certificate. What do i do?
0
Comment
Question by:tparus
  • 4
  • 3
  • 3
10 Comments
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
ID: 40321098
Have you imported the SSL into the certificate store yet?

If not, you will need to and make sure it has the private key on it before you can enable it via IIS.
0
 

Author Comment

by:tparus
ID: 40321104
What do you mean by store? I have imported a SSL certificate into the server when we first installed SSL a few years back.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40321116
Have you imported the certificate into the certificate store on the server?

If not, it won't show up and you can't install it via IIS using the replace option.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:tparus
ID: 40321131
I have not imported the new certificate into the store of the server. You understand that there is already a certificate on the server correct? I added a SAN to the certificate at GoDaddy and now I need to add the new certificate that includes the new SAN to the server in 72 hours. My issue is generating the CSR on the server so I can update the key. Am I missing something?
0
 
LVL 29

Accepted Solution

by:
becraig earned 250 total points
ID: 40321133
So here are some steps:

1. Where did you request the SAN certificate from (computer) [if it is the same computer then you should be able to simply use "replace" once the certificate authority has given you the new cert and you have processed the request on the server.

2. If it was requested and processed on another computer, then simply export the pfx from that computer and then import on your web server, then use the replace option.

Export pfx:
Winkey + r - mmc.exe - add remove snapin - certificates - local computer - expand personal - right click the certificate on the right - export - include private key - complete the wizard

Import pfx:
Winkey + r - mmc.exe - add remove snapin - certificates - local computer - expand personal - right click - import - point to pfx file created above and complete the wizard.
0
 

Author Comment

by:tparus
ID: 40321134
Would renewing the current certificate be the same as replacing?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40321150
If you have added a SAN to the existing certificate, why do you need to generate a CSR post certificate issue?  Surely you have the certificate downloaded with the new SAN in?

If you have the certificate with the SAN in it, it needs to be imported into the Certificate store, repair the private key if it is missing and then you can choose the certificate from within IIS Manager and select to replace the current certificate with the new one with the new SAN in.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40321171
Yup Alan is correct, if you are simply adding the SAN to the  current cert at go-daddy then simply do a repair of the store.

certutil -repairstore serialnumber
0
 

Author Comment

by:tparus
ID: 40321196
I figured it out. I probably went the round about way but I created a temporary site, created the CSR, used that CSR for the re-key then installed the certificate in the temp site which put the certificate in the store. I then removed the certificate from the temp site and used the renew feature on the original site and selected the new certificate in the store. Found article http://support.microsoft.com/kb/295281. Hope that was the correct way.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40321201
yup that works just as well.

the main idea is just to have the certificate installed in the local computer store then replace the current certificate with the new one from the store.

So the correct action would be "REPLACE" once the new certificate was installed I indicated above:


1. Where did you request the SAN certificate from (computer) [if it is the same computer then you should be able to simply use "replace" once the certificate authority has given you the new cert and you have processed the request on the server.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question