0

I have a .PFX file, and want to use it to update an existing SSL certificate in IIS.

I can use the Import command. This prompts me for my PFX file and password. That's exactly what I want except that it creates a new certificate instead of updating the existing one.

So I tried the Renew command instead. But this command gives me a completely different dialog, which ultimately prompts me for a CER file.

I don't have a CER file. I have a PFX file. Is there no way to get an Import dialog that performs an update instead of a create?

Jonathan Wood
  • 269
  • 1
  • 3
  • 13
  • Why not just import the PFX file and change your IIS bindings to use the new certificate? – joeqwerty Jun 21 '23 at 17:02
  • @joeqwerty: Because I have to do this every once in a while, and I'd like to understand why there would be an Import for new certificates but not for renewed ones. Also, when I use the Import command, it has no name. And I can see there is a Renew command. So none of this is making sense to me. – Jonathan Wood Jun 21 '23 at 17:06

2 Answers2

1

Because SSL certificates don't get updated, they get replaced with a new certificate, often alongside the existing certificate, and then the service using that certificate gets updated to use the new one.

That's why once a system has been running for a while, you'll often find you have multiple certificates for the same address(es). It's also why when done manually, it's generally a good idea when given the chance to name the certificate to make sure it's destinctive beyond the address being secured, for instance including the date/year so you can easily see which one is the most up to date.

Once updated you can of course go back and remove the old ones, but the system won't do that automatically since it's quite possible that you could have mydomain.com-2023 and mydomain.com-2022 in use at the same time by different systems.

Similarly with automated systeme like Certifytheweb that automates renewing and installing Lets Encrypt Auto SSL certificates, you'll find you not only have the currently used certificate listed, but several of the old ones as well. Though from memory I believe that does automatically remove some of the older ones after a period of time. That also allows for the fact that your two certificates can overlap in terms of their start and end dates.

Keith Langmead
  • 857
  • 1
  • 7
  • 14
  • Thanks, but this hardly makes sense to me. First off, there is a Renew command. Second, it's pretty obvious that certificates will be renewed, and by adding a new one, you then have to also go and edit the bindings on all related sites. Finally, I did not see any way to name a certificate when importing it from a PFX file. – Jonathan Wood Jun 22 '23 at 18:03
0

The 'update' process creates a CSR file, typically when used with certreq.exe and an inf file. The CSR is transferred to the issuing CA, which processes the request and returns a resulting CER file. The CER file is then 'imported' on the requesting machine, which consummates the fulfillment process. That is technically the more secure way, as only the requestor is creating the fulfilled certificate, which may be later manifested as a PFX container file.

Some products, including some Windows components, mark a certificate as 'archived' after importing a certificate that replaces an existing certificate.

Certreq.exe can also be used to do all of that, on any endpoint. But then materialize the certificate with private key as a PFX which can then be copied to other systems or multiple systems, and saved/escrowed.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82