Solved

Replacing SSL certificate on Windows 2003 IIS 6

Posted on 2014-09-13
10
588 Views
Last Modified: 2014-09-18
I recently added a new SAN to my certificate and now want to place the new certificate on my server. I need to get the CSR from my server to complete the re-key and install but am having issues with getting the CSR. My issue is this when I go to the Server Certificate wizard there isn't a choice to install a new certificate but 5 choices : Renew, Remove, Replace, Export or copy and move so I assume it is Replace but when I go to replace a certificate it shows me 8 different certificates and all of them do not have the expiration date of my currently active certificate. What do i do?
0
Comment
Question by:tparus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
ID: 40321098
Have you imported the SSL into the certificate store yet?

If not, you will need to and make sure it has the private key on it before you can enable it via IIS.
0
 

Author Comment

by:tparus
ID: 40321104
What do you mean by store? I have imported a SSL certificate into the server when we first installed SSL a few years back.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40321116
Have you imported the certificate into the certificate store on the server?

If not, it won't show up and you can't install it via IIS using the replace option.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:tparus
ID: 40321131
I have not imported the new certificate into the store of the server. You understand that there is already a certificate on the server correct? I added a SAN to the certificate at GoDaddy and now I need to add the new certificate that includes the new SAN to the server in 72 hours. My issue is generating the CSR on the server so I can update the key. Am I missing something?
0
 
LVL 29

Accepted Solution

by:
becraig earned 250 total points
ID: 40321133
So here are some steps:

1. Where did you request the SAN certificate from (computer) [if it is the same computer then you should be able to simply use "replace" once the certificate authority has given you the new cert and you have processed the request on the server.

2. If it was requested and processed on another computer, then simply export the pfx from that computer and then import on your web server, then use the replace option.

Export pfx:
Winkey + r - mmc.exe - add remove snapin - certificates - local computer - expand personal - right click the certificate on the right - export - include private key - complete the wizard

Import pfx:
Winkey + r - mmc.exe - add remove snapin - certificates - local computer - expand personal - right click - import - point to pfx file created above and complete the wizard.
0
 

Author Comment

by:tparus
ID: 40321134
Would renewing the current certificate be the same as replacing?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40321150
If you have added a SAN to the existing certificate, why do you need to generate a CSR post certificate issue?  Surely you have the certificate downloaded with the new SAN in?

If you have the certificate with the SAN in it, it needs to be imported into the Certificate store, repair the private key if it is missing and then you can choose the certificate from within IIS Manager and select to replace the current certificate with the new one with the new SAN in.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40321171
Yup Alan is correct, if you are simply adding the SAN to the  current cert at go-daddy then simply do a repair of the store.

certutil -repairstore serialnumber
0
 

Author Comment

by:tparus
ID: 40321196
I figured it out. I probably went the round about way but I created a temporary site, created the CSR, used that CSR for the re-key then installed the certificate in the temp site which put the certificate in the store. I then removed the certificate from the temp site and used the renew feature on the original site and selected the new certificate in the store. Found article http://support.microsoft.com/kb/295281. Hope that was the correct way.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40321201
yup that works just as well.

the main idea is just to have the certificate installed in the local computer store then replace the current certificate with the new one from the store.

So the correct action would be "REPLACE" once the new certificate was installed I indicated above:


1. Where did you request the SAN certificate from (computer) [if it is the same computer then you should be able to simply use "replace" once the certificate authority has given you the new cert and you have processed the request on the server.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question