Renew a custom IIS Certificate that is about to expire, without affecting clients
A custom (non paid) certificate is about to expiry and you are afraid that your web clients won’t be able to login, or have problems logging in due to that certificate expiration?
A great example of this would be OWA (outlook web access) certificates renewal.
1.Go to your IIS web server.
2.Right Click on the website having the expiring certificate and click properties
3.Click on Directory Security tab and then on Server Certificate and click next
4.Click on Renew the current Certificate and then Prepare the request now, but send it later.
5.The wizard will save the Certificate request on a file on your drive (c:\certreq.txt)
6.After the wizard finishes you should fire up your certificate authority web site. IE is recommended for this job!
This should look like this.
7.Click on Request a Certificate link and then on “advanced certificate request”
8.Click on the second link saying:
Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Browse for a file to insert (take the file you created on your certificate request back on step 5). If your IE has its security settings enabled then you may just copy and paste the contents of the txt file created on step 5.
REMEMBER!!! Certificate template should be “Web Server”
Click on submit on your bottom right.
9.Download the certificate created and in case you need it in the future its chain as well.
10.Go back to your IIS that waits for the renewal. Do again steps 2 and 3 in order to go back to Security>Certificates configuration.
11.This time the server waits for the certificate you created and downloaded on step 9.
12.Proceed with submiting the certificate.
13.Export the certificate in pfx format directly from your IIS using the appropriate button on your Certificate Wizard. You will need this in order to publish this certificate again on your firewall/ISA/TMG
Now there is a case that in front of your web server you have an ISA or other Firewall to initially do the “talking” with your external clients. Therefore you need to install this certificate (step 13) to the “talker”
In case of an ISA/TMG:
14.Launch mmc>Add Certificates>LOCAL COMPUTER
15.Remove all old expiring certs from your Personal Directory
16.Import new pfx file (step 13)
17.Check your rule in OWA Publish in SSL/https Web listener –change Certificate.
Have a nice day 🙂