Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2009-10-21 09:49:06.0

TN 7902 - How do I create a new CSR in IIS without removing the existing certificate?

Question
How do I create a new certificate signing request (CSR) in Microsoft Internet Information Services (IIS) without removing the existing certificate?

Answer
You want to create a new CSR without removing the existing certificates in the following situations:
 -  You are renewing a certificate and you need to change the distinguished name (DN) information in your CSR and you are only given the option in IIS to renew the current certificate, which will generate a CSR identical to the original request.
 - You are renewing a certificate and you need to change the key bit length on your CSR.
 - You are renewing a certificate with Entrust that was originally issued by another third-party Certification Authority (CA).

In order to use the option in IIS to create a new CSR and make changes to your original request, you can use the following workaround to to create a temporary Web site in IIS.

To create a temporary Web site
1. Launch Internet Information Services from Start > Programs > Administrative Tools.
2. Right-click the default Web site, click New, and then click Site.
3. Create a new site and give it a temporary name.
4. Right-click on the new site, click Properties, click the Directory Security tab, and then click the Server certificate button.
5. Run the wizard and select Create new certificate and follow the wizard to create a new CSR.
6. When prompted, select Prepare the request now but send it later.
7. Complete the wizard and fill in all of the required fields for the CSR. You will be able to make any required changes at this point.
8. Use the CSR that you just created to request a new certificate.
Once you have received your new certificate, you can install it on the server

To install the new certificate
1. Right-click the temporary site that you used to create the CSR.
2. Click Properties, click the Directory Security tab, click the Server certificate button, and then click Next.
3. Follow the wizard. When prompted, select Process the pending request. Browse to your new Entrust .cer or .crt file and select this file.
4. Finish the wizard.
5. Right-click on your production Web site and choose Properties.
6. Click on Directory Security and then the Server Certificate button.
7. Run the wizard and choose Replace current Certificate or Assign an existing certificate (which ever option is available).
    If your current certificate has expired, please remove the certificate and restart the wizard. Choose the option to Assign an existing certificate.
8. Finish the wizard.
9. Double check the new certificate on the actual site by clicking the View Certificate under Directory Security. It should show the new certificate.
10. Once the new certificate has been verified, you can delete the temporary site that was created.