How to Change IIS Key Size for SSL Certificate Renewal

If you have an active SSL certificate running on IIS 5 or IIS 6 you cannot change the key bit length without creating a new Certificate Signing Request (CSR). The problem is that you can't create a new CSR on your site that already has an active SSL certificate. There is an easy work-around to this problem.

If you are using IIS 7 just create a new CSR from scratch rather than clicking the "Renew" link in IIS 7. This will allow you to generate a new CSR with a 2048-bit key size. Just follow the IIS 7 CSR instructions.

Overview: We are going to first create a dummy site in IIS, generate a new CSR request for the dummy site using a 2048-bit key, install a new certificate on the dummy site, and then replace the expiring certificate on your real site with the new 2048-bit key/certificate from the dummy site. It's easier than you think.

1. Open the Internet Information Services (IIS) Manager. From the Start button select Programs > Administrative Tools > Internet Information Services Manager.
2. You will first need to create create dummy site (a temporary site) in IIS. Right-click on the main server node (local computer) and select New > Web Site. You can call it tempsite. You'll be deleting this site later so you don't need to worry too much with the details of setting it up.
3. Once you have the temporary site setup you will need to generate a Certificate Signing Request (CSR) for the dummy site. The Common Name (e.g., www.mysite.com) in the new CSR must be the same as your real site. For example, if the certificate you're trying to renew is for 'secure.mydomain.com' then the Common Name in the CSR for the dummy site will also need to be 'secure.mydomain.com'. To generate the CSR follow these instructions.
4. Once you have a CSR for the dummy site you can place a renewal order using that CSR.
5. GeoTrust will issue your SSL certificate. You will receive an email with a link for you downloadload your certificate files. You will need to download the PKCS#7 version of your SSL certificate to your server's desktop and rename the file from your_domain_com.p7b to your_domain_com.cer.
6. Return to the Directory Security tab of your dummy site (not your real site) and click Server Certificate and select Process the pending request and install the certificate. Click Next.
7. Locate the your_domain_com.cer file when prompted to locate your web server certificate. Click Next.
8. Review the summary screen and ensure that you are processing the correct certificate (check the expiration date). Click Next.
9. Click Next and then Finish on the confirmation screen. The SSL certificate has now been installed on the dummy site and now we have to transfer it to the real site.
10. Right-click your real web site and then click Properties.
11. On the Directory Security, under Secure communications, click Server Certificate.
12. Click Next in the Welcome to the Web Server Certificate Wizard window.
13. Select Replace the current certificate, Click Next.

    

14. You will be asked to select your SSL certificate from a list of installed certificates. Ensure you select the new certificate from the list.
15. Review the summary screen and ensure that you are processing the correct certificate (check the expiration date). Click Next.
16. Click Next and then Finish on the confirmation screen. Your old SSL certificate has now been replaced with the new certificate from the dummy site.
17. You may safely delete the entire dummy site.

Verify Installation

To verify if your certificate is installed correctly, use our Certificate Installation Checker.

Test your SSL certificate by using a browser to connect to your server. Use the https protocol directive. For example, if your SSL was issued to secure.mysite.com, enter https://secure.mysite.com into your browser.

Your browser's padlock icon will be displayed in the locked position if your certificate is installed correctly and the server is properly configured for SSL.