NOTE: GeoTrust recommends a key length of 2048 bit
Step 1: Generate a Certificate Signing Request (CSR) file without removing the existing certificate
- Click Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager
- Right-click Web Sites
- Select New > Web Site
- The Web Site Creation Wizard will open. Enter Temporary as the web site name > click Next
Note: In the Wizard, simply bypass all the settings by clicking Next. However, you will need to specify a path. The directory you select is completely arbitrary and will not affect the CSR generation. In the below example, the C:\ drive is chosen as the Home Directory
- Click Finish
Note: The temporary web site does not need to be started for this process. If the web site is started, right click the temporary site and select Stop
- Right click the temporary site > select Properties > Directory Security > Server Certificate
- Select Create a New Certificate > Next > Prepare the request now, but sent it later > Next
- Provide the friendly name for this certificate. This will help you identify the certificate if multiple certificates are installed. For the bit length, specify 2048. Click Next.
- Complete the IIS Certificate Wizard to generate the new Certificate Signing Request.
Note: The IIS Certificate Wizard will pre-populate the Distinguished Name fields (Organization, Organizational Unit, etc.). DO NOT accept these. Delete the pre-populated entry and enter the details again based on the existing certificate information contained in the Subject field.
- Click Finish
The newly created CSR can now be used during enrollment. Typically this will be submitted during a Renewal of a certificate.
Important: The temporary web site and pending request option need to remain available until the certificate is returned as it will need to be installed on the temporary web site.
Step 2: Install the SSL certificate on the temporary site and apply it to the production web site
Note: By default Microsoft IIS server will prompt you to install a .cer file extension, but .txt and .p7b is also allowed.
Once you receive the new certificate, save it in notepad with the extension .cer, then:
- Right-click the temporary site > select Properties > Directory Security > Server certificate
- Select Choose Process the Pending Request and Install the Certificate, then click Next.
- Assign the temporary site an SSL port.
NOTE: Please change the SSL Port from the default value (443) to another value (for example, 9443) to ensure there is no interference with the live production site.
- Complete the wizard to install the certificate.
- Right-click the production site > select Properties > Directory Security > Server certificate
- Select Replace the current certificate
Note: If there is no certificate installed on the website, select Assign an Existing Certificate
- Select the certificate that you have just installed onto the temporary site > click Finish
- Stop and Start the website.
Once the SSL certificate has been assigned to the production site, the temporary site can be deleted.