Ask a Question

Solution ID : SO6424

Last Modified : 05/22/2018

How to generate a Certificate Signing Request (CSR) file in Microsoft IIS 6.0 without removing the existing certificate?

Solution

To generate a new CSR without removing the current certificate, a temporary website can be created. This workaround will apply for Microsoft IIS servers that currently have certificates installed, but a new CSR with a new key-bit length or different information in the Distinguished Name needs to be created. Creating a temporary website allows you to keep the current certificate active on the site while another certificate request is pending. After installing the certificate on the temporary web site, it can be applied to the production web site.

NOTE: GeoTrust recommends a key length of 2048 bit
 

Step 1: Generate a Certificate Signing Request (CSR) file without removing the existing certificate

  1. Click Start > All Programs > Administrative Tools Internet Information Services (IIS) Manager
  2. Right-click Web Sites
  3. Select New > Web Site
  4. The Web Site Creation Wizard will open. Enter Temporary as the web site name > click Next


    Note: In the Wizard, simply bypass all the settings by clicking Next. However, you will need to specify a path. The directory you select is completely arbitrary and will not affect the CSR generation.  In the below example, the C:\ drive is chosen as the Home Directory
     
     
  5. Click Finish


    Note: The temporary web site does not need to be started for this process.  If the web site is started, right click the temporary site and select Stop 
  6. Right click the temporary site > select Properties > Directory Security > Server Certificate
  7. Select Create a New Certificate > Next > Prepare the request now, but sent it later > Next
  8. Provide the friendly name for this certificate.  This will help you identify the certificate if multiple certificates are installed.  For the bit length, specify 2048.  Click Next.

     
  9. Complete the IIS Certificate Wizard to generate the new Certificate Signing Request. 
    Note: The IIS Certificate Wizard will pre-populate the Distinguished Name fields (Organization, Organizational Unit, etc.).  DO NOT accept these.  Delete the pre-populated entry and enter the details again based on the existing certificate information contained in the Subject field. 
  10. Click  Finish


The newly created CSR can now be used during enrollment. Typically this will be submitted during a Renewal of a certificate.
Important: The temporary web site and pending request option need to remain available until the certificate is returned as it will need to be installed on the temporary web site.

Step 2: Install the SSL certificate on the temporary site and apply it to the production web site

Note: By default Microsoft IIS server will prompt you to install a .cer file extension, but .txt and .p7b is also allowed.

Once you receive the new certificate, save it in notepad with the extension .cer, then:

  1. Right-click the temporary site > select  Properties > Directory Security > Server certificate
  2. Select Choose Process the Pending Request and Install the Certificate, then click Next.
  3. Assign the temporary site an SSL port.
    NOTE: Please change the SSL Port from the default value (443) to another value (for example, 9443) to ensure there is no interference with the live production site.
  4. Complete the wizard to install the certificate.
  5. Right-click the production site > select  Properties > Directory Security > Server certificate
  6. Select  Replace the current certificate
    Note: If there is no certificate installed on the website, select Assign an Existing Certificate
  7. Select the certificate that you have just installed onto the temporary site > click  Finish
  8. Stop and Start the website.
     

Once the SSL certificate has been assigned to the production site, the temporary site can be deleted.