I then went into IIS7 selected the server name on the left and then 'Server Certificates' on the right. I selected the certificate in question and in the Actions column on the right, clicked 'Renew...'. This generated me a nice CSR, which was a lot longer than I was used to, but thought nothing of it.
On VeriSign's website (having signed in) I clicked the Renew button next to the certificate I was wanting to renew and select the relevant certificate type etc.. I then got to the page on VeriSign's website where I past in my CSR text. This is where the 'fun' began. VeriSign's website told me this wasn't a valid CSR for renewing this certificate.... Wait! WHAT?!
The renew option I had used in IIS7 just asked me for a file to dump the CSR out to, so I couldn't see that I had done something wrong.
A quick Google search returned this site where Rick Strahl had similar issues but got around them by basically ordering a new certificate rather than a renewal.
Thankfully someone in his comments pasted a link to this site where they solved the issue like this:
- open command-prompt
- change directories to the directory that contains the .csr file IIS7 gave you.
- run these commands:
certutil -split <yourfile.csr> certutil -encode Blob0_1.p10 <youroutputfile.csr>
- on your CA's website paste the contents of <youroutputfile.csr> into the relevant area.
I hope this helps someone else avoid the pain IIS causes here.
Neil
UPDATE:
So VeriSign eventually sent me the certificate to put onto our web server. I attempted to complete the certificate process but it wouldn't let me. It managed to import the certificate even though I got an error message, but the imported certificate didn't have a Private Key.
A quick Google search revealed that if I ran the following command it would fix this issue, which it did:
certutil -repairstore my <certificate-thumbprint>
However, my problems didn't end there! In IIS7 the certificate was showing, with the correct details (i.e. Expiration date), but when I tried to set the HTTPS binding for the website to use the new certificate it gave me the following error: "A specified logon session does not exist. It may already have been terminated."
Further Google searches revealed there were plenty of people seeing this error, but none of them could provide a solution to my problem as they were having a slightly different scenario. In the end I had to call VeriSign (who wasn't much help) but in the end I just used the VeriSign website to "Revoke & Renew" the certificate with a brand new CSR. With only days left till it runs out, I hope they can get me the new certificate in time!
The face that I had so many problems performing a simple certificate renewal (something I'd done many times before with IIS6) leaves me dreading the next certificate expiration. I think I'll just create a new CSR and totally ignore trying to renew the existing certificate.... :(
0 Comments