Server 2003 IIS 6 – CSR/Install Instructions for Renewals without removing the existing certificate

Issue Condition:
To generate a new CSR without removing the current certificate, a Temporary Dummy website can be created. This workaround will apply for Microsoft IIS 6 server 2003 that currently have certificates installed on their website, but a new CSR with a new key-bit length or different information in the Distinguished Name needs to be created. Creating a temporary website allows you to keep the current certificate active on the site while another certificate request is pending. After installing the certificate on the temporary web site, it can be applied to the production web site.

On Windows type systems PFX/PKCS12 requests are made, and are stored on the system. The private key will remain hidden on the windows system and website where the CSR request is made.

Note: All certificates issued by a Certificate Authority must be SHA2/SHA256 algorithm due to industry standards by governing entities. IIS 6 Server 2003, has been known to not understand this Algorithm.  Installing a SHA2 certificate on your outdated system may not work. You may have to contact Microsoft for the best possible resolution.

Note: Microsoft ended support for Windows Server 2003 IIS 6 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Generate a Certificate Signing Request (CSR) file without removing the existing certificate on Dummy Website.

Step 1: Generation of Dummy Website:

1. Click Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager
2. Right-click Web Sites
3. Select New > Web Site
   
   
4. The Web Site Creation Wizard will open. Enter Temporary as the web site name > click Next
   
   Note: In the Wizard, simply bypass all the settings by clicking Next. However, you will need to specify a path. The directory you select is completely arbitrary and will not affect the CSR generation.  In the below example, the C:\ drive is chosen as the Home Directory
   
5. Click Finish
   
   Note: The temporary web site does not need to be started for this process.  If the web site is started, right click the temporary site and select Stop.
   

Step 2: Generation of CSR on Dummy Website:

1. Right click the temporary Dummy Website > select Properties > Directory Security > Server Certificate.
   
   
2. Select Create a New Certificate > Next > Prepare the request now, but sent it later > Next.
3. On the Name and Security Setting page perform the following.
   1. Under Name specify a friendly name for this certificate (Anything will do). This will help you identify the certificate if multiple certificates are installed.
   2. For the bit length, specify 2048.
   3. Ignore the Cryptographic service provider (CSP) for this certificate.
4. Click Next.
   
5. On the Organization Information page of the wizard specify the following.
   Note: The IIS Certificate Wizard will pre-populate the Distinguished Name fields (Organization, Organizational Unit, etc.). DO NOT accept these if they are not valid. Delete the pre-populated entry and enter the details again based on the existing certificate information contained in the Subject field.
   1. Organization: Specify the full legal name of your company.
   2. Organizational unit: Specify a sub department of your choice such as ‘Security’ or ‘IT’ in the organizational unit.
6. Click Next.
   
7. On the Your Site’s Common Name page of the wizard specify the following.
   1. Common name: Specify the domain name of your website.
      Note: Only a Fully Qualified Domain Name (FQDN) is allowed for enrollment of a CA issued certificate example www.yourdomain.com. Ip addess and internal server names do not qualify. If you are enrolling for a wildcard certificate specify a * in the domain for your certificate example *.yourdomain.com
8. Click Next.
   
9. On the Geographical Information page of the wizard specify the following.
   1. Country/Region: The Locality field is the city or town name, for example: Boston.
   2. State/Province: Spell out the state completely; do not abbreviate the state or province name, for example: California.
   3. City/locality: Use the two-letter code without punctuation for country, for example: US or CA.
10. Click Next.
    
    
11. In the Certificate Request File Name page of the wizard perform the following.
12. Click Browse…
13. Specify the name and location of where you want this CSR file to be saved. Within the contents of this file is your CSR you will copy and paste its contents into your enrollment processing form when enrolling for a CA certificate.
14. Click Next.
    
15. In the Request File Summary page of the Wizard confirm the contents of your CSR information, If everything looks good click Next.
16. Click Finish

Note: Upon completing the Certificate Wizard, it is important to leave the request pending for successful certificate installation on the website. DO NOT delete the pending request from the Certificate Wizard on the website. Doing so will prevent installation of the certificate that is returned.

Your CSR request has been created from your Server 2003 – IIS 6 system and is ready for you to copy and paste its contents into the enrollment portal.

Installation of SSL Certificate on Dummy Website, and applying it to production website.

Step 1: Picking up your SSL Certificate.

1. If you had the option of server type during enrollment and selected Microsoft you will receive a pkcs#7/.p7b version of your certificate within the email. Alternately you can access your Certificate User Portal by the supplied link in the email to pick up the pkcs#7 version of your certificate.
2. Copy the SSL certificate and make sure to copy the —–BEGIN CERTIFICATE—–
   and —–END CERTIFICATE—– header and footer Ensure there are no white spaces, extra line breaks or additional characters. Use a plain text editor such as Notepad, paste the content of the certificate and save it with extension .p7b (When performing this on a Windows system the Icon of the file should change into a certificate icon)

Step 2: Processing the pending request on the Dummy Website:

1. Open the Internet Services Manager (IIS):
2. Click Start
3. Select All Programs
4. Select Administrative Tools
5. Choose Internet Information Services (IIS) Manager
6. Under Web Sites, right-click your temporary  Dummy website and select Properties.
7. Click the Directory Security tab > Server Certificate…
   
8. The Web Site Certificate Wizard will open, click Next.
9. Choose Process the Pending Request and Install the Certificate, then click Next.
   Note: The pending request must match the response file. If you deleted the pending request in error you must generate a new CSR and replace this certificate.
   
10. Select the location of the certificate response file, and then click Next.
11. Read the summary screen to be sure that you are processing the correct certificate and then click Next.
12. Click Finish to exit the Wizard.

Step 3: Applying the certificate processed on the Dummy website to the production website:

1. Right-click on the production site and select Properties.
2. Select the Directory Security tab > Server Certificate.
   
3. On the Web Site Certificate Wizard, click Next.
4. Select Replace the current certificate and click Next.
5. Select the certificate from the list that was installed on the temporary  Dummy Website and click Finish.
6. Be sure to assign your site an SSL port (443 by default).
7. Stop and Start the Web server prior to any testing.
   Note: In some cases the changes may not take place after restarting IIS Services and a re-boot is needed.

Your Server Certificate should now be installed on your Server 2003 – IIS 6 system.

If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.

Windows Support

For more information refer to Microsoft