IIS7, SSL and renewal woes
As this is getting a FAQ hitting my desk about once a month now, I would like to cover the Issue, give you a solution and some background data to explain what's happening. The question at hand is: I want to renew a SSL Server certificate for my IIS7 server and use the "renew..." option in the Inetmgr GUI. The resulting file is however rejected by my Certification Authority (Verisign and GoDaddy for example). Why is that and how can I solve this?
Let's start with the solution options:
1) Most people save the CSR they originally used. You can send that SAME CSR to the CA and will get a working certificate with new validity range. What is now left is that you need to get this certificate associated with the originally created keyset currently bound to your "old" (near expiry or expired) certificate. Here is how to do this using the Certificates (Local Computer) MMC:
a. Import the new certificate into the Local Computer Personal store.
b. Export the “old” certificate including the private key ( do NOT set the option to delete the private key on success!).
c. Delete the “old” certificate in the MMC
d. Use the serial number from the new certificate and run this command from an elevated cmd prompt:
certutil –repairstore my “put serial here”
e. Assign the new certificate to the IIS website.
2) Use the renew button and run this command on the resulting file:
certutil –split yourfile.csr
Now use the Blob0_1.p10 file this generates in your current directory as the CSR for your CA using the returned certificate in the inetmgr certificate management UI to complete the renewal.
3) Generate a new keyset and CSR and do the enrollment as a renewal with Verisign entering the same information as before. You can do this on a new (“dummy”) web site using the inetmgr UI (to avoid any downtime) or you can use the Certificates (Local Computer) MMC following the steps in my earlier post Creating "Wildcard" Certificate Requests for IIS using the Windows Vista/Server 2008 Certificates MMC plugin .
Here are some tidbits you might find interesting. A certificate renewal is a bit more than just a PKCS#10 (aka CSR) blob. What is done to make this verifyable (i.e. prove that you already have an acknowledged certificate) is that that old keyset+certificate is now used to sign the PKCS#10 adding the certificate chain used for that signature to the renewal request. A PKCS#7 container is used to hold all the components including the original certificate chain and the PKCS#10 CSR.
For some reason Verisign and some other CA's stopped supporting this format. My guess is that they found it easier to just allow PKCS#10 requests and do their own checks on the renewal aspects which for them has aside from the technicalities also billing aspects they want to take care of. But again: That is just my guess.
The IIS7 GUI does however default to the standard for renewal requests and by that makes it much easier to integrated with your own PKI allowing you to do real renewals using the Microsoft Certificate Services in your Enterprise scenarios. Due to the simplicity of the available steps that allow you to adapt to the deficiencies (lack of support for renewals) of some of the commercial certification authorities it was decided to not add a UI option to the relevant inetmgr code as the needed effort would be very high. Just think of the testing and distribution of shipping not only creating one binary but also at least one other MUI file per language supported by Windows.