How to Change IIS Key Size for SSL Certificate Renewal
If you have an active SSL certificate running on IIS 5 or IIS 6 you cannot change
the key bit length without creating a new Certificate Signing Request (CSR). The problem
is that you can't create a new CSR on your site that already has an active SSL certificate.
There is an easy work-around to this problem.
If you are using IIS 7 just create a new CSR from scratch rather than clicking
the "Renew" link in IIS 7. This will allow you to generate a new CSR with a 2048-bit key size.
Just follow the IIS 7 CSR instructions.
Overview: We are going to first create a dummy site in IIS, generate a new CSR request
for the dummy site using a 2048-bit key, install a new certificate on the dummy site,
and then replace the expiring certificate on your real site with the new 2048-bit key/certificate
from the dummy site. It's easier than you think.
- Open the Internet Information Services (IIS) Manager.
From the Start button select Programs >
Administrative Tools > Internet
Information Services Manager.
- You will first need to create create dummy site (a temporary site)
in IIS. Right-click on the
main server node (local computer) and select New > Web
Site. You can call it tempsite. You'll be
deleting this site later so you don't need to worry too much with
the details of setting it up.
- Once you have the temporary site setup you will need to generate
a Certificate Signing Request (CSR) for the dummy site. The Common
Name (e.g., www.mysite.com)
in the new CSR must be the same as your real site. For example, if the certificate
you're trying to renew is for 'secure.mydomain.com' then
the Common Name in the CSR for the dummy site will also need to be
'secure.mydomain.com'. To generate the CSR follow
- Once you have a CSR for the dummy site you can place a
renewal order using that CSR.
- GeoTrust will issue your SSL certificate. You will receive an email with a
link for you downloadload your certificate files. You will need to download
the PKCS#7 version of your SSL certificate to your server's desktop and
rename the file from your_domain_com.p7b to your_domain_com.cer.
- Return to the Directory Security tab of your dummy site
(not your real site) and click Server Certificate and
select Process the pending request and install the certificate.
- Locate the your_domain_com.cer file when prompted to locate your web server
certificate. Click Next.
- Review the summary screen and ensure that you are processing the correct
certificate (check the expiration date). Click Next.
- Click Next and then Finish on the
confirmation screen. The SSL certificate has now been installed
on the dummy site and now we have to transfer it to the real site.
- Right-click your real web site
and then click Properties.
- On the Directory Security, under Secure communications,
click Server Certificate.
- Click Next in the Welcome to the Web Server
Certificate Wizard window.
- Select Replace the current certificate, Click Next.
- You will be asked to select your SSL certificate from a list of installed
certificates. Ensure you select the new certificate from the list.
- Review the summary screen and ensure that you are processing the
correct certificate (check the expiration date). Click Next.
- Click Next and then Finish on the confirmation screen. Your old SSL
certificate has now been replaced with the new certificate from the dummy
- You may safely delete the entire dummy site.
To verify if your certificate is installed correctly, use our
Certificate Installation Checker.
Test your SSL certificate by using a browser to connect to your server.
Use the https protocol directive. For example, if your
SSL was issued to secure.mysite.com, enter
Your browser's padlock icon will be displayed in the locked position if your certificate
is installed correctly and the server is properly configured for SSL.