Solved

Replacing SSL certificate on Windows 2003 IIS 6

Posted on 2014-09-13
10
567 Views
Last Modified: 2014-09-18
I recently added a new SAN to my certificate and now want to place the new certificate on my server. I need to get the CSR from my server to complete the re-key and install but am having issues with getting the CSR. My issue is this when I go to the Server Certificate wizard there isn't a choice to install a new certificate but 5 choices : Renew, Remove, Replace, Export or copy and move so I assume it is Replace but when I go to replace a certificate it shows me 8 different certificates and all of them do not have the expiration date of my currently active certificate. What do i do?
0
Comment
Question by:tparus
  • 4
  • 3
  • 3
10 Comments
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
ID: 40321098
Have you imported the SSL into the certificate store yet?

If not, you will need to and make sure it has the private key on it before you can enable it via IIS.
0
 

Author Comment

by:tparus
ID: 40321104
What do you mean by store? I have imported a SSL certificate into the server when we first installed SSL a few years back.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40321116
Have you imported the certificate into the certificate store on the server?

If not, it won't show up and you can't install it via IIS using the replace option.
0
 

Author Comment

by:tparus
ID: 40321131
I have not imported the new certificate into the store of the server. You understand that there is already a certificate on the server correct? I added a SAN to the certificate at GoDaddy and now I need to add the new certificate that includes the new SAN to the server in 72 hours. My issue is generating the CSR on the server so I can update the key. Am I missing something?
0
 
LVL 28

Accepted Solution

by:
becraig earned 250 total points
ID: 40321133
So here are some steps:

1. Where did you request the SAN certificate from (computer) [if it is the same computer then you should be able to simply use "replace" once the certificate authority has given you the new cert and you have processed the request on the server.

2. If it was requested and processed on another computer, then simply export the pfx from that computer and then import on your web server, then use the replace option.

Export pfx:
Winkey + r - mmc.exe - add remove snapin - certificates - local computer - expand personal - right click the certificate on the right - export - include private key - complete the wizard

Import pfx:
Winkey + r - mmc.exe - add remove snapin - certificates - local computer - expand personal - right click - import - point to pfx file created above and complete the wizard.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:tparus
ID: 40321134
Would renewing the current certificate be the same as replacing?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40321150
If you have added a SAN to the existing certificate, why do you need to generate a CSR post certificate issue?  Surely you have the certificate downloaded with the new SAN in?

If you have the certificate with the SAN in it, it needs to be imported into the Certificate store, repair the private key if it is missing and then you can choose the certificate from within IIS Manager and select to replace the current certificate with the new one with the new SAN in.
0
 
LVL 28

Expert Comment

by:becraig
ID: 40321171
Yup Alan is correct, if you are simply adding the SAN to the  current cert at go-daddy then simply do a repair of the store.

certutil -repairstore serialnumber
0
 

Author Comment

by:tparus
ID: 40321196
I figured it out. I probably went the round about way but I created a temporary site, created the CSR, used that CSR for the re-key then installed the certificate in the temp site which put the certificate in the store. I then removed the certificate from the temp site and used the renew feature on the original site and selected the new certificate in the store. Found article http://support.microsoft.com/kb/295281. Hope that was the correct way.
0
 
LVL 28

Expert Comment

by:becraig
ID: 40321201
yup that works just as well.

the main idea is just to have the certificate installed in the local computer store then replace the current certificate with the new one from the store.

So the correct action would be "REPLACE" once the new certificate was installed I indicated above:


1. Where did you request the SAN certificate from (computer) [if it is the same computer then you should be able to simply use "replace" once the certificate authority has given you the new cert and you have processed the request on the server.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now