IIS: Switching to a new certificate
If you run a website with a secure portal, then you most likely have a certificate (or are self certified, which is not what this article is covering). At some point in time that certificate will expire and you will need a new one. But how do you do that? You cannot generate a new CSR while the current certificate is loaded. If you unlead the certificate your users will not be able to access your site. What to do, what to do.
Setup a separate {fake} website
The first step is to go into IIS and create a new website. It really doesn’t matter what you call it or what ports or whatever. We really don’t care. I call mine, ‘Temp-cert site’ and put it on some unused port that I don’t care about. I also just make a directory, but don’t give any rights to it (just in case). So what you should have is:
Create the CSR
The next step is to create the CSR based on this new site. So you go through the normal motions:
Right click the Temp-cert site
Click properties
Click Directory Security tab
Click Server Certificate
The ‘Welcome to the Web Server Certificate Wizard’ will start – Go through this just like you did for the actual website you wanted to get the cert for. Notice we haven’t actually touched the ‘real’ site yet.
Once you are done, copy and paste the New Request to your Certificate Provider and get your certificate back
Install the new certificate
Now that you have your new certificate, you will need to install it somewhere (not to the actual site yet). So back to the temp site we go. Right click and get into properties, and the Directory Security tab. Click again on Server Certificate. This time the wizard will go through the installing of the cert. YES this will install the cert on our ‘temp’ site, but don’t worry we’ll fix that in a minute. Make sure the cert installed without an error.
Remove the certificate on ‘Temp’ site
Now that you have a brand new shinny certificate on this site, we are going to remove it. Removing the certificate takes it off that particular site, but does not remove it from the certificate store. So go back into properties of the ‘temp’ site, and back into the familiar Directory Security and Server Certificate wizard. Here we want to remove the certificate. That wizard completes pretty fast and painless. Now on to installing on the right site.
Install the certificate on the ‘real’ site
Okay, NOW is the time we are actually going to do something to the real site. Right click on the proper site, and get into properties. Then into the Directory Security and click on the Server Certificate wizard. So you should see something like this:
So now you select the ‘Replace the current certificate’ and click next. From there you should see a list of all the certs that have been installed on the server. From there you should see your brand new shinny certificate, with the proper issue and expire dates. Just simply select it, and close out of the wizard….
Thats IT!!!!
Now you have your new cert, and your actual live website wasn’t down, or without a cert at all. This way will assure you that you have no down time as Certificates can take a few days to get after you give them your CSR.