iis - How can I renew SSL on IIS7 with No Downtime?

  • Chris Arnold

    Our Windows 2008 IIS7 web server has a wildcard SSL that is about to expire. The CSR that is automatically generated is too long and not accepted by my CA - nothing I can do about that. My main concern is avoiding any downtime. My secondary concern is that I am not a network / server admin so my fear at having following a lengthy manual process is quite keen.

    When I go to the Server Certificates in IIS I see a list of 2. One is 'my' SSL and the other is a self-signed cert from the server. If I go through the 'Create Certificate Request' wizard and create a new CSR with the same details what will happen? Will it automatically disable the existing cert or will it keep the new one pending and the old one active until I complete the process and swap them over?

    Apologies if that isn't as clearly explained as I may have wanted.

  • Answers
  • joeqwerty

    Generating a new CSR has no effect on the current certs. They will still be bound to the site and continue to be valid until they expire, or until you replace them with the new one.

  • Robert

    This used to be an issue with IIS 6 but there is no risk of downtime with IIs 7. Just generate a new CSR, install it, and when you are ready to switch to the new certificate, change the site bindings. IIS will continue using the old certificate until you change the bindings.

    Also, the extremely large CSR is generated from a bug in the IIs 7 renew process. You will just want to create a new CSR rather than using the Renew option.

  • Chevy Resnick

    Install ssltools manager and right click your displayed SSL cert and then click 'create csr'. This will create a renewal csr to be sent your ca.

    Or you can create a new cert through ssltools manager and when you get your signed cert back and import it in, then bind the new cert to your website.

  • Related Question

    iis - Windows 2008 SSL Certificate
  • Ronnie Overby

    I have a Windows Server 2008 machine hosting sites from IIS 7. I have bought certs from trusted authorities before and installed on IIS 6, but I just want to make my own certificate to encrypt the data, and I am not sure how to go about doing this on server 2008.

    How can I use Server 2008 to generate an SSL Certificate to secure a site?

    How then do I install the certificate on a site?

  • Related Answers
  • Adam

    Here is a good guide on self signed certs the MSDN blog http://blogs.msdn.com/bags/archive/2009/01/23/self-signed-certificates-on-iis-7-the-easy-way-and-the-most-effective-way.aspx. Just remember users will still be prompted that your cert isn't valid since it is self signed so it is not trusted by the users computer.