Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2010-07-15 10:06:48.0

TN 7902 - What are the steps to create a new CSR while another certificate is currently installed?

Problem:

The certificate renewal option within IIS does not allow the user to provide the key bit length or distinguished name (DN) information.

Cause:

When renewing a certificate, IIS will generate a CSR identical to the original request. You may want to change this information in the following circumstances:

• You are renewing a certificate and you need to change the distinguished name (DN) information in your CSR.
• You are renewing a certificate and you need to change the key bit length of your CSR.
• You are renewing a certificate with Entrust that was originally issued by another Certification Authority (CA).

Solution:

In order to make changes to your original request, you must create a temporary Web site in IIS and use it to generate the CSR. Follow the procedures below.

Part 1 - Generate the Certificate Signing request from a Temporary Web Site

1. Launch the Internet Services Manager:
      Select Start /All Programs/ Administrative Tools/ Internet Information Services
   
   
2. Right-click the Web Sites folder in the left preview pane. Select New, and then Web Site.
   
   
   
   
3. The Web Site Creation Wizard appears. Click Next.
   
   
4. Provide a description for the web site and click Next.
   
   
   
   
5. Enter a dummy IP Address (i.e. 1.1.1.1) for the web site. Keep the default TCP Port and Host Header settings. Click Next.
   
   
6. Supply a path for the Web site home directory and click Next.
   
   
   
   
7. Click Next to accept the default Web Site Access Permissions.
   
   
   
   
8. Click Finish to complete the Web Site Creation Wizard.
   
   
   
   
9. Your new Web site now appears in the IIS Manager window under Web Sites. Right-click the Web site and select Properties.
   
   

 

10. Click the Directory Security tab, and click Server Certificate.
    
    
    
    
11. The Certificate Wizard appears. Click Next.
    
    
12. Select Create a new certificate and click Next.
    
    
    
    
13. Select Prepare the request now, but send it later and click Next.
    
    
    
    
14. Supply a friendly name for your certificate. Choose a bit-length of 2048 and click Next.
    
    
    
    
15. Supply the name of your company or organization in the field provided. If relevant, supply the name of your division or department in the Organizational Unit field provided. Click Next.
    
    
    
    
16. Supply the Common Name of your Web server in the field provided. This name must match the fully qualified domain name on the certificate being renewed. Click Next.
    
    
    
    
17. Supply a Country/Region,  State/province and City/locality. Click Next.
    
    
    
    
18. Supply a File name in which to save your Certificate Signing Request (CSR) and click Next.
    
    
    
    
19. Review the Request File Summary, then click Next to generate the file.
    
    
    
    
20. Click Finish to complete the Certificate Wizard.
    
    
21. Use the CSR you have generated (certreq.txt) to submit the renewal request to Entrust.

Part 2 - Install the new certificate

After receiving the new certificate from Entrust, follow the steps below to install it on the Web server:

1. Copy and paste the Server Certificate (including the BEGIN and END tags) into a text editor such as Notepad and save it on your server.
   
   
   
   
2. Launch the Internet Services Manager:
   Select Start > All Programs > Administrative Tools > Internet Information Services.
   
   
3. Right-click the temporary Web site from the left preview pane and select Properties.
   
   
   
   
4. Click the Directory Security tab, and click Server Certificate.
   
   
   
   
5. The Certificate Wizard appears. Click Next.
   
   
6. Select Process the pending request and install the certificate and click Next.
   
   
   
   
7. Browse to the location of your Server Certificate file and click Next.
   
   
   
   
8. Specify SSL port 443 and click Next.
   
   
   
   
9. Review the Certificate Summary, then click Next to install the certificate.
   
   
   
   
10. Click Finish to complete the certificate installation on the temporary Web site.
    
    
11. In the left preview pane of the IIS Manager window, locate the Web site that has the original server certificate. Right-click this web site and select Properties.
    
    
    
    
12. Click the Directory Security tab, and select Server Certificate.
    
    
    
    
13. The Certificate Wizard appears. Click Next.
    
    
14. Select Replace the current certificate and click Next.
    
    
    
    
15. From the list of available certificates, select the certificate installed to the temporary Web site and click Next.
    
    
    
    
16. Review the Certificate Summary, then click Next to install the certificate.
    
    
    
    
17. Click Finish to complete the certificate installation.
    
    
    
    
18. You can now delete the temporary Web site because it is no longer needed. Removing the temporary site will not affect your new certificate.
    
    

Affected Products:

• Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable