IIS 5/6 Renewal Without Downtime
Note that this issue was resolved in IIS 7. For instructions on renewing IIS 7 certificates, see our IIS 7 CSR creation instructions.
Server administrators frequently have problems with downtime when they change the details of an existing certificate in Microsoft IIS 5/6. When you generate a CSR in IIS for an unsecured website, you can either create a new certificate or assign/import an existing certificate. However, once a website is secured, you can only renew, remove, or replace the existing certificate. Though renewing the certificate will generate a new CSR, it only allows you to create a request that is identical to the current certificate. None of the certificate details can be changed.
The most common way of dealing with this is to remove the existing certificate, restart the wizard, and choose the option to create a new certificate. This allows you to change the details of the certificate. However, this leaves the website unsecured or unavailable (sometimes for only a few minutes, but potentially several hours or even several days) until a new certificate is issued.
The best workaround is to generate a CSR with the desired details from a second website on the same server. The website should not be a publicly accessible site, and can be created specifically for this purpose—you do not need to make a functional site. As long as you make a site, the site details do not matter.
After creating the CSR, submit it to DigiCert. Once you receive the certificate file back, use our IIS SSL installation instructions to install your certificate to the website from which the CSR was generated. Then, go to the original website's properties and navigate to Directory Security > Server Certificate. Select the option to assign an existing certificate to transfer the files.