Wednesday, 11 November 2009

IIS Change the key length for an SSL renewal

*** IIS 6 ***

When applying for an SSL certificate renewal and the old certificate uses a 512 bit key length you may receive the following error: "The CSR you submitted has a 512 bit key size. We do not allow SSL Web Server certificate issued with a CSR less than 1024 bits."

There is no way within IIS to change the key length but the workaround is as follows:

1. Create a new website under IIS. Make sure the website is stopped.
2. Edit the new site.
3. Select the "Directory Security" tab.
4. Click "Server Certificate"
5. Click "Next"
6. Select "Create a new certificate"
7. Click "Next"
8. Select "Prepare the request now, but send it later".
9. Click "Next"
10. Enter a name for the new request and select a bit length of 1024.
11. Click "Next".
12. Enter the organisation name and organisational unit for the website you are attempting to renew.
13. Click "Next".
14. Enter the exact domain name for the website you are attempting to renew.
15. Click "Next".
16. Enter the business country, state and city.
17. Click "Next".
18. Select a save location for the CSR.
19. Complete the wizard.
20. Submit the new CSR with your renewal request - this should be accepted.
21. When you receive the new certificate complete the renewal on the temporary site created in step 1.
22. Edit the main site that requires the renewed certificate.
23. Select the "Directory Security" tab.
24. Click "Server Certificate"
25. Click "Next".
26. Select "Replace the current certificate".
27. Click "Next".
28. Select the new certificate completed in step 21.
29. Click "Next" and complete the wizard.
30. Click "OK".
31. Delete the temporary site created in step 1.

1 comment:

huhu78 said...

useful trick - thx!