Ask a Question

Managed PKI for SSL-Certificate Signing Request (CSR) Generation Instructions for Microsoft IIS 5.0 or 6.0 without removing the existing certificate

Solution

 
To generate a new CSR without removing the current certificate, a temporary website can be created. This workaround will apply for Microsoft IIS servers that currently have certificates installed, but a new CSR with a new key-bit length or different information in the Distinguished Name needs to be created. Creating a temporary website allows you to keep the current certificate active on the site while another certificate request is pending. After installing the certificate on the temporary web site, it can be applied to the production web site.
 
NOTE: All certificates that will expire after December 2013 must have a 2048 bit key size. 
 

Step 1: Create a temporary website:

  1. Click Start > All Programs > Administrative Tools Internet Information Services (IIS) Manager
  2. Right-click Web Sites
  3. Select New > Web Site


     
  4. The Web Site Creation Wizard will open. Enter Temporary as the web site name > click Next



    NOTE: In the Wizard, simply bypass all the settings by clicking Next. However, you will need to specify a path. The directory you select is completely arbitrary and will not affect the CSR generation.  In the below example, the C:\ drive is chosen as the Home Directory



     
  5. Click Finish



    NOTE: The temporary web site does not need to be started for this process.  If the web site is started, right click the temporary site and select Stop.

 

Step 2: Generate Certificate Signing Request without removing the existing certificate: 

  1. Right click the temporary site > select Properties > Directory Security > Server Certificate
  2. Select Create a New Certificate > Next > Prepare the request now, but sent it later > Next
  3. Provide the friendly name for this certificate. This will help you identify the certificate if multiple certificates are installed. 
  4. For the bit length, specify 2048. Click Next.


     
  5. Complete the IIS Certificate Wizard to generate the new Certificate Signing Request.

    NOTE: The IIS Certificate Wizard will pre-populate the Distinguished Name fields,
    Organization, Organizational Unit, and each subsequent wizard window. DO NOT accept these
    Delete the pre-populated entry and enter the details again based on the existing certificate information contained in the Subject field.
    To find the information of the existing certificate, follow the steps.
     
  6. Click  Finish
  7. The newly created CSR can now be used during enrollment. Typically this will be submitted during a Renewal of a certificate. 
    NOTE: The temporary web site and pending request option need to remain available until the certificate is returned as it will
    need to be installed on the temporary web site.


To install the renewal certificate on a temporary site and assign it to the production site in Microsoft IIS 5 or IIS 6,
follow the steps.