Replacing SSL certificate on Windows 2003 IIS 6
I recently added a new SAN to my certificate and now want to place the new certificate on my server. I need to get the CSR from my server to complete the re-key and install but am having issues with getting the CSR. My issue is this when I go to the Server Certificate wizard there isn't a choice to install a new certificate but 5 choices : Renew, Remove, Replace, Export or copy and move so I assume it is Replace but when I go to replace a certificate it shows me 8 different certificates and all of them do not have the expiration date of my currently active certificate. What do i do?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you imported the certificate into the certificate store on the server?
If not, it won't show up and you can't install it via IIS using the replace option.
If not, it won't show up and you can't install it via IIS using the replace option.
ASKER
I have not imported the new certificate into the store of the server. You understand that there is already a certificate on the server correct? I added a SAN to the certificate at GoDaddy and now I need to add the new certificate that includes the new SAN to the server in 72 hours. My issue is generating the CSR on the server so I can update the key. Am I missing something?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Would renewing the current certificate be the same as replacing?
If you have added a SAN to the existing certificate, why do you need to generate a CSR post certificate issue? Surely you have the certificate downloaded with the new SAN in?
If you have the certificate with the SAN in it, it needs to be imported into the Certificate store, repair the private key if it is missing and then you can choose the certificate from within IIS Manager and select to replace the current certificate with the new one with the new SAN in.
If you have the certificate with the SAN in it, it needs to be imported into the Certificate store, repair the private key if it is missing and then you can choose the certificate from within IIS Manager and select to replace the current certificate with the new one with the new SAN in.
Yup Alan is correct, if you are simply adding the SAN to the current cert at go-daddy then simply do a repair of the store.
certutil -repairstore serialnumber
certutil -repairstore serialnumber
ASKER
I figured it out. I probably went the round about way but I created a temporary site, created the CSR, used that CSR for the re-key then installed the certificate in the temp site which put the certificate in the store. I then removed the certificate from the temp site and used the renew feature on the original site and selected the new certificate in the store. Found article http://support.microsoft.com/kb/295281. Hope that was the correct way.
yup that works just as well.
the main idea is just to have the certificate installed in the local computer store then replace the current certificate with the new one from the store.
So the correct action would be "REPLACE" once the new certificate was installed I indicated above:
the main idea is just to have the certificate installed in the local computer store then replace the current certificate with the new one from the store.
So the correct action would be "REPLACE" once the new certificate was installed I indicated above:
1. Where did you request the SAN certificate from (computer) [if it is the same computer then you should be able to simply use "replace" once the certificate authority has given you the new cert and you have processed the request on the server.
ASKER