Renew an IIS 6 SSL Certificate without Downtime
Microsoft stopped supporting Windows Server 2003 including IIS 6 on July 14, 2015. While we feel confident that the workaround below will work for standard configurations of IIS 6 but we cannot guarantee results. Additionally, IIS 6 does not support all modern ciphers and could result in making your site vulnerable to attack or being blocked by some browsers due to outdated ciphers.
Also note that if you are renewing your certificate for IIS 6, you must have installed the hotfix to allow Windows Server 2003 to allow SHA256 certificates as SHA1 were sunsetted on January 1, 2017. The hotfix may be available from alternate sources but is no longer available directly from Microsoft as indicated in this page: https://knowledge.digicert.com/solution/SO19176.html
The problem with renewing SSL certs on IIS 6 is that you cannot make any changes to the certificate details such as key sizes, organization names and ISO country codes. There is an easy work-around to this problem.
Workaround for renewing a certificate using IIS 6
We are going to first create a dummy site in IIS, generate a new CSR request for the dummy site, install a new certificate on the dummy site, and then replace the expiring certificate on your real site with the new renewal certificate from the dummy site. It's easier than you think!
- Open the Internet Information Services (IIS) Manager. From the Start button select Programs > Administrative Tools > Internet Information Services Manager.
- You will first need to create create dummy site (a temporary site) in IIS. Right-click on the main server node (local computer) and select New > Web Site. You can call it temp-site. You'll be deleting this site later so you don't need to worry too much with the details of setting it up.
- Once you have the temporary site setup you will need to generate a Certificate Signing Request (CSR) for the dummy site. The Common Name (e.g., www.mysite.com) in the new CSR must be the same as your real site. For example, if the certificate you're trying to renew is for 'secure.mydomain.com' then the Common Name in the CSR for the dummy site will also need to be 'secure.mydomain.com'. To generate the CSR follow these instructions.
- Once you have a CSR for the dummy site you can place a renewal order using that CSR.
- When your renewal cert is approved and issued you will receive an email with a link to download your certificate files. You will need to download the PKCS#7 version of your SSL certificate to your server's desktop and rename the file from your_domain_com.p7b to your_domain_com.cer.
- Return to the Directory Security tab of your dummy site (not your real site) and click Server Certificate and select Process the pending request and install the certificate. Click Next.
- Locate the your_domain_com.cer file when prompted to locate your web server certificate. Click Next.
- Review the summary screen and ensure that you are processing the correct certificate (check the expiration date). Click Next.
- Click Next and then Finish on the confirmation screen. The SSL certificate has now been installed on the dummy site and now we have to transfer it to the real site.
- Right-click your real web site and then click Properties.
- On the Directory Security, under Secure communications, click Server Certificate.
- Click Next in the Welcome to the Web Server Certificate Wizard window.
- Select Replace the current certificate, Click Next.
- You will be asked to select your SSL certificate from a list of installed certificates. Ensure you select the new certificate from the list.
- Review the summary screen and ensure that you are processing the correct certificate (check the expiration date). Click Next.
- Click Next and then Finish on the confirmation screen. Your old SSL certificate has now been replaced with the new certificate from the dummy site.
- You may safely delete the entire dummy site.
Verify Installation
- To verify if your certificate is installed correctly, use our Certificate Installation Checker.
- Test your SSL certificate by using a browser to connect to your server. Use the https protocol directive. For example, if your SSL was issued to secure.mysite.com, enter https://secure.mysite.com into your browser.
- Your browser's padlock icon will be displayed in the locked position if your certificate is installed correctly and the server is properly configured for SSL.
Additional Resources
- Official IIS website
- Troubleshooting SSL related issues in IIS
- Repair intermediate certificate chain issues
Please contact our support team if you have any additional problems or questions.