To generate a new CSR without removing the current certificate, a temporary website can be created. This workaround will apply for Microsoft IIS servers that currently have certificates installed but a new CSR with a new key-bit length or different information in the Distinguished Name needs to be created. Creating a temporary website allows you to keep the current certificate active on the site while another certificate request is pending. After installing the certificate on the temporary web site, it can be applied to the production web site.
NOTE: To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file and generate a new one, your SSL Certificate will no longer match. You will have to replace the certificate then.
NOTE: All certificates that will expire after October 2013 must have a 2048 bit key size.
Step 1: Create a temporary website:
- Click Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager
- Right-click Web Sites
- Select New > Web Site
- The Web Site Creation Wizard will open. Enter Temporary as the web site name > click Next
NOTE: In the Wizard, simply bypass all the settings by clicking Next. However, you will need to specify a path. The directory you select is completely arbitrary and will not affect the CSR generation. In the below example, the C:\ drive is chosen as the Home Directory.
- Click Finish
NOTE: The temporary web site does not need to be started for this process. If the web site is started, right click the temporary site and
Step 2: Generate Certificate Signing Request without removing existing certificate
- Right click the temporary site > select Properties > Directory Security > Server Certificate
- Select Create a New Certificate > Next > Prepare the request now, but sent it later > Next
- Provide the friendly name for this certificate. This will help you identify the certificate if multiple certificates are installed. For the bit length, specify 2048. Click Next.
- Complete the IIS Certificate Wizard to generate the new Certificate Signing Request.
NOTE: The IIS Certificate Wizard will pre-populate the Distinguished Name fields (Organization, Organizational Unit, and each subsequent wizard window.). DO NOT accept these.
Delete the pre-populated entry and enter the details again based on the existing certificate information contained in the Subject field.
- Click Finish
The newly created CSR can now be used during enrollment. Typically this will be submitted during a Renewal of a certificate.
NOTE: The temporary web site and pending request option need to remain available until the certificate is returned as it will need to be installed on the temporary web site.
To install the renewal certificate on a temporary site and assign it to the production site in Microsoft IIS 5 or IIS 6, follow the steps from this link