IIS 7.0 - SSL certificate - renew or new?

Renewing a certificate allows you to keep the same public and private key while updating the expiration date for the certificate. The advantage to this is if you had to store the thumbprint on a router or something. I believe that the same issuing CA is required for renewing a request so it may just be easier to generate a new request by hand.

To generate a new request without blowing IIS up

You can create the certificate request manually and submit that. Once you get the new certificate you can then just switch the cert that IIS7 is looking for. How to create a web server SSL certificate manually.

The simple gist of the process is you will create an inf file with the required information, run certreq -new file.inf file.req. Once you have the request file you can submit that to the CA you want to issue your certificate, then accept the public key they send you with the command certreq -accept file-from-ca.req

Example request.inf

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=fully.qualified.domain.name, OU=Organizational Unit, O=Company, L=City, S=State, C=Country"
KeySpec = 1
KeyLength = 2048
HashAlgorithm = SHA256
Exportable = FALSE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
RequestType = PKCS10
KeyUsage = 0xa0
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
FriendlyName = ""

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[RequestAttributes]
CertificateTemplate = WebServer

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=&"
_continue_ = "DNS="

The above example inf is one I use internally for my own CA but can be adapted to work for most environments. You can set Exportable to TRUE if you want to be able to archive your key. The FriendlyName is completely optional and the Extensions section is for using alternate DNS names (Subject Alternative Names).

An example of a SAN entry would be:

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=example.com&"
_continue_ = "DNS=www.example.com&"
_continue_ = "DNS=secure.example.com"

That would allow you to use the same certificate with the three above sites without it complaining that there is a name mismatch (on modern browsers - I don't think IE6 understands it). It is important that you include the fully qualified domain name (the CN of the subject line) in the SAN if you set that up. You can completely remove the extensions area as well if you have no need for multiple domain names (also, some CAs may not support it).

The process

Once you have the above information saved (I know it is a lot). Follow these steps:

1. Open a command prompt and cd to the directory where you saved the above inf.
2. Run certreq -new above.inf request.req
3. Submit the request.req file to your CA. They will process it and approve/decline it.
4. When they approve it they should send you back your public key in a .cer file.
5. Run certreq -accept file-from-ca.cer to finish setting up the key.

Good luck!

Edit

The full syntax for certreq and the inf file can be found at Appendix 3: Certreq.exe Syntax (Windows Server 2003 SP1). The FriendlyName and HashAlgorithm are Server 2008 (and R2) only. You can view a list of supported cryptographic providers by running the command certutil -csplist and looking at the output. A current Windows 2003 SP2 box does have the "Microsoft RSA SChannel Cryptographic Provider" listed as an available provider so make sure that your file has the quotes properly set and that entry is on one line only (no wrapping or multi-lines).

You can also change out ProviderName to ProviderType and use the number provided by the output of certreq -csplist.

In this case I get the following output:

Provider Name: Microsoft RSA SChannel Cryptographic Provider
Provider Type: 12

So I can either use

ProvderName = "Microsoft RSA SChannel Cryptographic Provider"

or

ProviderType = 12

You only need to create a temporary website with IIS 6.0. IIS 7.0 allows you to create multiple pending requests at a time.

IIS 7.0 actually has a bug that causes the renew function to generate a CSR with a very large key (much larger than you want). Because of this, it is recommended that you create a new pending request instead of selecting the renew option. Once installed you simply switch the SSL binding on the website and you won't have any downtime. This also allows you to generate a new key every time you renew which increases security.

The certificate provider (CA) doesn't care whether you use the new option or the renew option and you could use either option whether you are staying with the same CA or ordering from a new one.

OK, to partially answer my own question - the part of creating/using a new certificate without removing the existing one (i.e. without stopping the server), I found a good description on Comodo website - basically I need to create a "temporary" website on the server, and use it to create a new CSR, send it for signing, and receive and import the certificate.

Then on my main (real) site I need to replace the current certificate, and then delete the temp one.