Replacing SSL certificate on Windows 2003 IIS 6

I recently added a new SAN to my certificate and now want to place the new certificate on my server. I need to get the CSR from my server to complete the re-key and install but am having issues with getting the CSR. My issue is this when I go to the Server Certificate wizard there isn't a choice to install a new certificate but 5 choices : Renew, Remove, Replace, Export or copy and move so I assume it is Replace but when I go to replace a certificate it shows me 8 different certificates and all of them do not have the expiration date of my currently active certificate. What do i do?
TimSr. System AdminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
Have you imported the SSL into the certificate store yet?

If not, you will need to and make sure it has the private key on it before you can enable it via IIS.
0
TimSr. System AdminAuthor Commented:
What do you mean by store? I have imported a SSL certificate into the server when we first installed SSL a few years back.
0
Alan HardistyCo-OwnerCommented:
Have you imported the certificate into the certificate store on the server?

If not, it won't show up and you can't install it via IIS using the replace option.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

TimSr. System AdminAuthor Commented:
I have not imported the new certificate into the store of the server. You understand that there is already a certificate on the server correct? I added a SAN to the certificate at GoDaddy and now I need to add the new certificate that includes the new SAN to the server in 72 hours. My issue is generating the CSR on the server so I can update the key. Am I missing something?
0
becraigCommented:
So here are some steps:

1. Where did you request the SAN certificate from (computer) [if it is the same computer then you should be able to simply use "replace" once the certificate authority has given you the new cert and you have processed the request on the server.

2. If it was requested and processed on another computer, then simply export the pfx from that computer and then import on your web server, then use the replace option.

Export pfx:
Winkey + r - mmc.exe - add remove snapin - certificates - local computer - expand personal - right click the certificate on the right - export - include private key - complete the wizard

Import pfx:
Winkey + r - mmc.exe - add remove snapin - certificates - local computer - expand personal - right click - import - point to pfx file created above and complete the wizard.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TimSr. System AdminAuthor Commented:
Would renewing the current certificate be the same as replacing?
0
Alan HardistyCo-OwnerCommented:
If you have added a SAN to the existing certificate, why do you need to generate a CSR post certificate issue?  Surely you have the certificate downloaded with the new SAN in?

If you have the certificate with the SAN in it, it needs to be imported into the Certificate store, repair the private key if it is missing and then you can choose the certificate from within IIS Manager and select to replace the current certificate with the new one with the new SAN in.
0
becraigCommented:
Yup Alan is correct, if you are simply adding the SAN to the  current cert at go-daddy then simply do a repair of the store.

certutil -repairstore serialnumber
0
TimSr. System AdminAuthor Commented:
I figured it out. I probably went the round about way but I created a temporary site, created the CSR, used that CSR for the re-key then installed the certificate in the temp site which put the certificate in the store. I then removed the certificate from the temp site and used the renew feature on the original site and selected the new certificate in the store. Found article http://support.microsoft.com/kb/295281. Hope that was the correct way.
0
becraigCommented:
yup that works just as well.

the main idea is just to have the certificate installed in the local computer store then replace the current certificate with the new one from the store.

So the correct action would be "REPLACE" once the new certificate was installed I indicated above:


1. Where did you request the SAN certificate from (computer) [if it is the same computer then you should be able to simply use "replace" once the certificate authority has given you the new cert and you have processed the request on the server.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.