How to create a CSR without removing your current certificate in IIS

December 20, 2011 — Leave a comment

How to create a CSR in IIS 5.x/6.x without removing the current certificate

Currently the Renew option within IIS 5.x/6.x does not work as intended most of the time. Since IIS does not allow your site that is currently running SSL to generate a Certificate Signing Request (CSR) without removing the existing certificate.

For most sites this is not a viable option since the SSL portion of your site would be down until the new certificate was put in place. In order to obtain a certificate for your existing web site you will have to do the following

Problem:   My current SSL expired and the site is hosted at IIS 6 and need to replace a new one
Solution:  To renew the SSL, we have to create a temporary site in IIS and generate new CSR in order to get new SSL for the current site

Step 1. Create Temporary site in IIS 6

1. Create a Temporary site within IIS.

Creating new site in IIS 6

2. Go through Welcome to the Web Site Creating Wizard. This wizard helps you create a new Web Site on this computer.

Web Site creation wizard IIS 6

3. Web Site Description. Describe the web site to help administrators identify it. 
I am calling it as Temp Site for Generating CSR

Temp site to create CSR

4. IP address and Port Settings. Specify an IP address, port settings, and host header for the new Web site. 
In this case I am not worried about these information since it’s a temporary site for generating CSR

IP address and Port Settings in IIS6

5. Web Site Home Directory. The home directory is the root of your web content subdirectories.

Web site home directory IIS 6

6. Web site access permissions. Set the access permissions for this web site.
This depend on the type of site your hosting.

Web site access permissions

7. Complete the Web Site creation Wizard.

Step 2: Create Web Server Certificate

1. Right click your temporary web site which you created and go to Properties

SNAGHTML5d4193

2. In properties, Click on Directory Security and Click Server Certificate

Getting Server Certificate in IIS

3.  Welcome to the web server certificate wizard comes.  This wizard helps you create and administer server certificates used in
secure web communications between your server and a client.

Status of your web server: Your web server doesn’t have a certificate installed and you don’t have any pending requests.
Certificate wizard will help you to create a new certificate for this web server or attach to an existing certificate.

Web Server Certificate Wizard IIS 6

4. Server Certificate. These are the methods of assigning a certificate to a web site

– Create a new certificate
– Assign an existing certificate
– Import a certificate from a key manager backup file
– Import a certificate from a .pfx file
– Copy or move a certificate from a remote server site to this site.

Select create a new certificate and click next

Create a new certificate in IIS

5. Delayed or immediate request. You can prepare a request to be send later, or you can send one immediately.
Do you want to prepare a certificate request to be send later, or do you want to send it immediately to an online certification authority?

In this case, I am going to prepare the request now , but send it later

Delayed or Immediate SSL request

6. Name and security Settings. Your new certificate must have a name and a specific bit length.
Type a name for the new certificate. The name should be easy for your to refer to and remember

SSL Certificate Name and settings

7. Organization Information

SNAGHTML883880

8.  Organization Information
Your certificate must include information about your organization that distinguishes it from other organization.
Select or type your organization’s name and your organizational unit. This is typically the legal name of your organization and the name of your division or department.

Organization Information to generate SSL

9. Your Site Common Name
This is very important. You need to enter the correct name of your site which you want generate CSR.

Type the common name for your site. If the server is on the internet, use a valid DNS name. If the server is on the intranet,
you may prefer to use the computer’s NetBIOS name. 

If the common name changes, you will need to obtain a new certificate

Site common name to get CSR

10. Geographical Information: The certification authority requires the following geographical information.

Geographical Information for SSL

 

11. Certificate Request file Name. You certificate request is saved as text file with the file name you specify.

 

Certificate Request File Name

12. Verify your request file summary and click next to generate CSR file for your web site

SNAGHTMLa0a1ec

 

Step 3: Provide CSR to your SSL Provider

1. Login into your SSL Provider Web Site

2. Provide your CSR file which you generated

image

3. After adding the CSR, I clicked next and this is the message I got “ This CSR uses an unsupported key size”

This CSR uses an unsupported key size

4.  If you look at Step 1 – 6, I generated 1024 Bit Length and it’s not supported any more.
The minimum Bit length should be 2048

SNAGHTML82fa77

5. In this case, I am going to delete the existing certificate which I created and
generate new one with 2048 bit encryption. I added new CSR file and it worked

image

 

Once my SSL is ready, I will post a blog about how you can added back to your site with expired SSL certificate.

No Comments

Be the first to start the conversation!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s