When renewing my SSL certificate on IIS, how do I increase my CSR key size in IIS 5 or IIS 6 without removing my existing certificate?
When you renew a certificate in IIS 5 or IIS 6, the CSR that is created will retain all of the exact details that were set when the certificate was first set up. This includes the key size of the certificate.
Most users do not wish to remove the existing certificate using IIS and recreate the CSR details using the Certificate Wizard because that action will take your website down on port 443 during this process. On many production websites, this cannot happen.
The work around is to create a 'temporary' website in IIS. This website can be a blank default created using the Wizard in IIS. Once this has been done, you will then need to create a new CSR for that 'temporary' website, allowing you to change the key size.
When you receive your certificate file, install it onto the 'temporary' website as normal.
You can now assign the certificate from the 'temporary' website to the production website with no downtime. Once you have done this, you can simply delete the 'temporary' website. All future renewal CSRs from the production website with the new details should translate over. This means that this process should only have to be done once.
More information on this process can be found at Increasing CSR Key Size in IIS