Sunday, May 21, 2006

SSL, IIS: Renewing a certificate request

It’s been almost a year since I posted the series of articles on how to manage IIS certificates. So in keeping with my theme of posting entries that typically have some basis in day-to-day operations, I thought I’d add something on renewing certificates, ahead of expiration.

Just a quick reminder on IIS versioning…

IIS 5.0 Windows 2000
IIS 5.1 Windows XP
IIS 6.0 Windows Server 2003

In my situation I’m running IIS 6.0 on 2003, but the KB article “How to Renew Certificates That Are Used with IIS 5.0” follows closely enough; and combined with the previous series of articles, it should prove helpful for future reference.

The short overview:
1) In the IIS console, right-click on your site, click properties, Directory Security tab, then server certificate.
2) Click next, then “Renew the current certificate”, next, next, next.
3) Copy and paste the text from the file of the resulting certificate request to the clipboard.
4) Submit the certificate request to a certificate authority (e.g. http://servername/certsrv/) (See the KB, steps 5-11)
5) Download the certificate from the CA
6) Open up the CA MMC tool, and issue the pending request (this is the easiest step to overlook)
7) In the IIS MMC console, right-click your site, Directory Security tab, then server request, then process pending requests.

Again, for me, the easiest step to overlook is 6. So, even if you’re following along in the KB article, remember to issue the pending request in the CA MMC that you generated. Otherwise, you’ll get an error message to the effect of “Selected certificate was already installed to another server. Please, choose another response file.”

Additional Resources:
How to Renew Certificates That Are Used with IIS 5.0;en-us;277891

SSL Overview: Part 5, Download and Install the Certificate within IIS (includes links to all original articles)

No comments: