How do I renew a certificate on Microsoft IIS 10?

Problem

How do I renew a certificate on Microsoft IIS 10?

Resolution

Previously in Internet Information Services (IIS) 6, you could easily renew an already installed certificate.  Doing this renew option kept all the same details in the certificate and created a new CSR.

In IIS 10, Microsoft has not changed the behavior of this since IIS 7 and IIS 8.5.  The renew option available to you in the SSL Certificates section of IIS issues a PKCS#7 formatted CSR that isn't recognized as valid by many CSR decoders and CA applications.  As a result of this, when a certificate needs to be renewed within IIS 10, it must be done by creating a new certificate request rather than by renewing the existing certificate. 

Below are the steps for creating a new CSR.
  1. First, you must open IIS (Internet Information Services) 10.
  2. Click on Start.
  3. Go to Windows Administrative Tools.
  4. Click on Internet Information Services (IIS) Manager from the list.
  5. In the Internet Information Services (IIS) Manager window, click on your server in the Connections pane on the left.
  6. In the middle pane, double-click on the Server Certificates Icon.
  7. In the Actions pane to the right, click on the Create Certificate Request... link.
  8. In the Request Certificate window, enter in the appropriate information into each field.  Use the guide below to help you.

    Common Name: This will be the Common Name on the certificate.  The Common Name is the Host + Domain Name.  It looks like “secure.example.com” or “example.com”.

    Organization: The legal name of your organization.

    Organizational Unit: This field is the name of the department or other group making the request.

    City/Locality: The locality field is the city or town name, for example: Hamilton or Stamford.

    State/Province: Spell out the state completely; do not abbreviate the parish, state or province name, for example: Pembroke of Connecticut.

    Country/region: Use the two-letter code of your country without punctuation, for example: BM or UK or CH.

  9. Once you have finished entering in the required information, click on the Next button.
  10. Leave the Cryptographic server provider: as default (Microsoft RSA SChannel Cryptographic Provider).
  11. Select a Bit length of 2048 bit or higher.  Click on the Next button.
  12. At the File Name screen, click on the ... button and specify a location to save the CSR.  After saving the CSR, click on the Finish button.
  13. Browse to the location where you saved your CSR, open it and submit it to the QuoVadis Trust/Link Portal.

Add Feedback