Renewing a certificate in IIS

Typically, renewing an existing certificate for IIS involves generating a new Certificate Signing Request (CSR) and using that new CSR to request a new certificate. That procedure is described at: http://support.microsoft.com/kb/295281. However, it is also possible to replace an existing certificate with a new certificate, without the need to generate a new CSR, as long as the new certificate matches the old certificate's private key (i.e. the new certificate was generated from the current certificate's CSR). This can be useful when renewing an existing certificate.

To install a new certificate that was generated from the current certificate's CSR, follow these steps, which should work for Windows Server 2003, 2008, and 2008 R2. Parts of these instructions are based on: http://support.microsoft.com/kb/889651.

Note: During this process, the SSL web site will be down.

1. Delete the old certificate.
   1. Run:
      certutil.exe -store my
      and note the Serial Number of the old certificate, which is to be deleted.
   2. Run:
      certutil.exe -delstore my SerialNumber
      where "SerialNumber" is that of the old certificate from step 1.
2. Install the new certificate.
   1. Run:
      certutil.exe -addstore my certificate.cer
      where "certificate.cer" is the certificate file to install.
   2. Run:
      certutil.exe -store my
      and note the Serial Number of the new certificate.
   3. Run:
      certutil.exe -repairstore my SerialNumber
      where "SerialNumber" is from the previous step.
3. Configure IIS to use the new certificate.

Related documentation

• How to configure SSL support in IIS
• General SCS Facilities web server certificate information