SSL Certificate Renewal for IIS 5 or IIS 6 without Any Downtime

If using the IIS 5/6 user interface to renew your SSL certificate, the best way to renew a certificate without any downtime is to generate a CSR with the desired details for a second website on the same server. The website should not be a publicly accessible site, and you can create it specifically for this purpose. You do not need to create a functional site. As long as you make a site, the site details do not matter.

Renewal Steps:

  • Create the CSR.

  • Submit it to DigiCert.

  • Receive certificate file.

  • Install your certificate to the server/website from which the CSR was generated.

  • On the original website, replace the current certificate with the new certificate.

For a much simpler way of renewing your SSL Certificate for IIS 5/6 without any downtime, you can use the DigiCert® Certificate Utility for Windows. See Renewing Microsoft IIS 5.x/6.x SSL Certificates.

Create a New Site and Generate a CSR.

Best practices are to generate a new certificate signing request (CSR) when renewing your SSL certificate.

  1. On the server with IIS 5/6 installed, right-click on My Computer, click Services and Applications and expand Internet Information Services.

  2. Right-click the Web Sites folder, then select New and choose Web Site. Then click next.

  3. Create a name for the website (e.g. Dummy Site), then choose Next.

  4. Leave the IP address as All Unassigned for your site and click Next.

  5. For Path, pick any folder that would serve content for this site (this won't matter since this website won't ever be live) and choose Next.

  6. On the next screen for website permissions leave everything as the default values and click Next then Finish.

  7. Right-click on the Dummy Site you created, and select Properties. Click the tab labeled Directory Security, click the Server Certificate button, and click next.

    IIS Server Certificate

  8. Choose Create a new certificate and click next.

  9. Choose to Prepare the request now, but send it later and hit next.

  10. Next, enter a name for this certificate to distinguish this certificate from all other certificates installed on your server. For Bit Length choose 2048. Leave the two boxes unchecked and click Next.

    IIS Renewal CSR Details

  11. Enter the following for each field: Organization: Your company/organization's full legal name. Organization Unit: Enter your department, or if you don't have one enter something such as 'Security' or 'IT'.

  12. For common name, enter the fully qualified domain name you are securing (e.g. www.yourdomain.com).

    IIS Renewal CSR Common Name

  13. Enter the location of your organization: Country, State, and City.
    If your country doesn't use states or provinces, enter your city for the State.

  14. Save your SSL Certificate Signing Request (CSR). The file should be saved as a text file (.txt)

  15. Click Next to generate the file and then, click Finish.

    IIS Renewal CSR Pending Request Summary

Renew Your SSL Certificate

Renew your SSL certificate from inside your DigiCert CertCentral account.

Are you new to the DigiCert team? You can "replace" your certificate with a DigiCert certificate. Order your new certificate here - Purchase Your DigiCert Certificate.

  1. Log into your CertCentral account.

  2. In CertCentral, in the left main menu, click Certificates > Expiring Certificates.

  3. On the Expiring Certificates page, next to the certificate you want to renew, click Renew Now.

    A certificate doesn't appear on the Expiring Certificates page until 90 days before it expires.

  4. Follow the instructions provided inside your account to renew your SSL certificate.

  5. Add your CSR

    When renewing the certificate, you'll need to include a CSR. On the "Renewal" page, under Certificate Settings, upload the CSR file you saved to the server.

    You can also use a text editor (such as Notepad) to open the file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in the Add Your CSR box.

  6. After you place the order to renew your certificate, DigiCert verifies your information.

  7. If we need any additional information, we will promptly contact you by phone or email. If no additional information is required, we will most likely issue your certificate within an hour.

Install the SSL Certificate in IIS then Remove the Dummy Site

  1. Open Internet Information Services (IIS) Right-click on the Dummy Site you created and choose Properties.

  2. Go to the Directory Security tab, click Server Certificate, and click Next.

  3. Choose Process the pending request and install the certificate and choose Next.

  4. Browse to your SSL Certificate (your_domain_com.cer) then click Next. Follow the rest of the wizard steps until finished.

    The SSL certificate should now be installed to your server.

  5. Now, right-click on the Dummy Site you created and then, click Delete.

  6. Now, right-click on your original website with the expiring certificate, and go to the Directory Security tab and click Server Certificate.

  7. Click the option to Replace the current certificate and choose the certificate that you just installed to the server.

IIS 5 & 6 SSL Certificates, Guides, & Tutorials

Buy Now Learn More

Troubleshooting:

  1. For SSL certificate errors please try Windows SSL Management Tool.

  2. If your web site is externally accessible, you can enter the name having problems into the SSL Cert Tester tool to help you diagnose common problems.

  3. For instructions about other various certificate tasks, please see the Common Certificate Tasks page.

SSL Certificates for Microsoft Internet Information Server 6

How to install your SSL Digital Certificate to Windows Server 2003.

Related Links

SSL Certificates

SSL Support