5

Our Windows 2008 IIS7 web server has a wildcard SSL that is about to expire. The CSR that is automatically generated is too long and not accepted by my CA - nothing I can do about that. My main concern is avoiding any downtime. My secondary concern is that I am not a network / server admin so my fear at having following a lengthy manual process is quite keen.

When I go to the Server Certificates in IIS I see a list of 2. One is 'my' SSL and the other is a self-signed cert from the server. If I go through the 'Create Certificate Request' wizard and create a new CSR with the same details what will happen? Will it automatically disable the existing cert or will it keep the new one pending and the old one active until I complete the process and swap them over?

Apologies if that isn't as clearly explained as I may have wanted.

Chris Arnold
  • 213
  • 2
  • 7

2 Answers2

7

Generating a new CSR has no effect on the current certs. They will still be bound to the site and continue to be valid until they expire, or until you replace them with the new one.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
4

This used to be an issue with IIS 6 but there is no risk of downtime with IIs 7. Just generate a new CSR, install it, and when you are ready to switch to the new certificate, change the site bindings. IIS will continue using the old certificate until you change the bindings.

Also, the extremely large CSR is generated from a bug in the IIs 7 renew process. You will just want to create a new CSR rather than using the Renew option.

Robert
  • 1,575
  • 7
  • 7
  • Huh? Problem in IIS 6? I'm not following. I've never had any problems generating a new CSR in IIS 6. The current cert is valid until the expiry date or until you replace it with a new one based on the new CSR. The pending CSR has no bearing on the validity of the current cert. – joeqwerty Dec 20 '09 at 18:22
  • Because you can only have one pending request per web site, if you ever needed to create a new CSR with a different common name or a different keysize, you would need to remove the certificate, generate a new one, and install it. If you don't need to make any changes, you can use the renew option without downtime. You could also create another IIS site to create the request on and then transfer it to the old site once it has been installed. So, in some situations there could be a risk of downtime with IIS 6. This isn't the case at all with IIS 7. – Robert Dec 22 '09 at 01:00
  • @Robert: Thanks for the info, but I'm still confused. Once the cert has been applied the pending request is "deleted". If you're renewing the current cert and you generate a new CSR there should be no ill effect on the current cert. Even if you decide not to renew the cert or you decide to renew it at a later time, you simply have to run the cert wizard and select the option to delete the pending request, again with no ill effect on the current cert. Again, I've never had any problem with IIS 6. Am I misunderstanding what you're saying? – joeqwerty Dec 22 '09 at 01:50
  • 1
    You're right. There isn't risk of any downtime when using the Renew option, but the Renew option doesn't let you change any of the information in the CSR (common name, organization location, or key size). So if you need to change any of those, you have to use one of the methods I mentioned to avoid downtime. I realize that the original question didn't have this stipulation but I thought it might help others. – Robert Dec 23 '09 at 14:49