MSPSS: is there life after the helpdesk?

sharing solutions to uncommon IT problems

Renewing SSL Certificate on IIS6 (1024 -> 2048 bit)

leave a comment »


today I struggled quite a bit trying to replace an expired certificate on a IIS6, I thought I’d share my findings hoping it’ll save time for someone else.

A quick recap of the basic steps to follow when installing a SSL cert on a IIS6:

  1. Create a CSR (by going in the website properties -> security -> Server Certificate -> New Cert
  2. Post the CSR to the CA and obtain a .cer in return
  3. complete the certificate request by feeding the cer file to IIS6 which will produce a certificate with pk in return

Most SSL Certification Authorities nowadays only release 2048bit certs on account of the 1028 being not safe.
If your previous certificate had a 1024 encryption you are  kind of stuck because IIS6 only lets you release CSR with same characteristics as the ones of the certificate currently installed.

At this stage you only have one choice: remove your current certificate (with obvious subsequent downtime) and process your certificate request as quickly as possible.

Things that I have tried to limit downtime and that won’t work:

  • Remove certificate -> generate CSR -> Cancel request -> set old certificate -> Make request to CA -> Make a new CSR identical to the previous = SSL Error
  • Generate CSR from another website on the same server= SSL Error

I hope this helps… if you can think of an easier way let me know


Written by zantoro

May 25, 2012 at 9:49 pm

Posted in IIS

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: