Step-by-Step Guide: How to Replace an SSL Certificate in IIS (Generate CSR & Install)

Is your website’s SSL certificate nearing its expiration date? Or perhaps you need to upgrade your certificate for enhanced validation? Replacing an SSL certificate in Microsoft’s Internet Information Services (IIS) is a common but critical task for maintaining website security and user trust. This process involves more than just swapping files; it typically requires you to create ssl cert request (CSR) for the new certificate before you can perform the IIS Replace Certificate operation.

Ignoring an expiring certificate can lead to browser warnings, loss of visitor trust, and potential SEO penalties. This guide provides a clear, step-by-step process for replacing your SSL certificate in IIS, from generating the necessary CSR to binding the new certificate to your site.

Key Takeaways

• Replacement is Essential: Replacing expiring or outdated SSL certificates is crucial for uninterrupted HTTPS security and avoiding browser warnings.
• New CSR Usually Needed: Replacing a certificate typically involves generating a new Certificate Signing Request (CSR) on your IIS server first. This is part of the “create ssl cert” process.
• Intermediate Certificates: Don’t forget to download and install the intermediate certificates provided by your Certificate Authority (CA).
• IIS Steps: The process involves generating the CSR, obtaining the new certificate, installing intermediates, completing the request in IIS, and finally, binding the new certificate to your website.
• Verification: Always verify the installation using browser checks and online tools after replacement.

Why Replace Your IIS SSL Certificate?

There are several common reasons why you might need to perform an IIS Replace Certificate operation:

1. Expiration: The most frequent reason. SSL certificates have finite validity periods (currently maxing out around 398 days ^^[CA/Browser Forum Baseline Requirements]^^), requiring periodic replacement.
2. Security Upgrade: Moving from a Domain Validated (DV) certificate to an Organization Validated (OV) or Extended Validation (EV) certificate for increased trust signals.
3. Changing Certificate Details: If key information associated with the certificate changes (though this might sometimes warrant a completely new setup rather than just replacement).
4. Key Compromise: If you suspect the private key associated with the current certificate has been compromised, immediate replacement with a new key pair is vital.
5. Standard Algorithm Update: To upgrade to stronger signature algorithms or key lengths mandated by security best practices.

Step 1: Generate a New CSR in IIS (Create SSL Cert Request)

Before you can get your new certificate, you usually need to generate a new CSR. This request contains your server’s public key and identifying information. Generating a new CSR ensures you also create a fresh, unique private key for the new certificate, which is a security best practice.

1. Open IIS Manager.
2. Click on the server name in the Connections pane on the left.
3. In the center pane, double-click on Server Certificates.
4. In the Actions pane on the right, click Create Certificate Request….
5. Fill in the Distinguished Name Properties accurately:
   • Common Name (CN): Your fully qualified domain name (e.g., www.yourdomain.com or yourdomain.com). This must match exactly what you want to secure.
   • Organization (O): Your legal company name.
   • Organizational Unit (OU): Your department (e.g., IT, Web Security).
   • City/locality (L): Your city.
   • State/province (S): Your state or province (do not abbreviate).
   • Country/region (C): Your two-letter country code (e.g., US, GB, CA).
6. Click Next.
7. On the Cryptographic Service Provider Properties screen, leave the default provider (Microsoft RSA SChannel Cryptographic Provider) unless you have specific requirements.
8. Select a Bit length of 2048 or higher (2048 is the current standard).
9. Click Next.
10. Specify a file name and location to save your CSR file (e.g., C:\CSRs\yourdomain_com.csr.txt). Click Finish.

You now have the CSR text file needed for the next step. Keep the private key associated with this request secure – IIS manages it automatically in the background at this stage.

Step 2: Obtain Your New SSL Certificate

Use the contents of the generated CSR file to order your replacement SSL certificate from a trusted Certificate Authority like SSLRepo.

1. Copy the entire text from the CSR file, including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.
2. Go to your CA’s website (e.g., SSLRepo.com) and choose the desired SSL certificate type.
3. Paste the CSR during the ordering process.
4. Complete the necessary domain and potentially organization validation steps required by the CA.
5. Once validation is complete, the CA will issue your new certificate files (usually a .cer or .crt file) and the necessary Intermediate CA certificates.

Step 3: Download and Install Intermediate Certificates

Before installing your primary certificate, install the intermediate(s). This ensures the browser can trace the trust chain back to a root CA.

1. Download the intermediate certificate bundle provided by your CA (often a .ca-bundle, .p7b, or separate .crt files).
2. Open the Microsoft Management Console (MMC): Press Win + R, type mmc, press Enter.
3. Go to File > Add/Remove Snap-in….
4. Select Certificates, click Add >.
5. Choose Computer account, click Next, then Finish, then OK.
6. In MMC, expand Certificates (Local Computer) > Intermediate Certification Authorities > Certificates.
7. Right-click on Certificates folder > All Tasks > Import….
8. Follow the Certificate Import Wizard, browsing to your downloaded intermediate certificate file(s). Place them in the Intermediate Certification Authorities store.

Step 4: Complete the Certificate Request in IIS

Now, pair the certificate file you received from the CA with the pending private key generated in Step 1.

1. Go back to IIS Manager > Server Certificates.
2. In the Actions pane, click Complete Certificate Request….
3. Browse to the certificate file (.cer, .crt) you received from the CA.
4. Enter a Friendly name. This is for your reference in IIS (e.g., yourdomain.com_2025_exp). Choose something easily identifiable.
5. Select the Personal certificate store.
6. Click OK. Your new certificate should now appear in the Server Certificates list.

Troubleshooting Note: If you get an error about the request or private key missing, it might mean you’re trying to complete the request on a different server than where the CSR was generated, or the original request was somehow deleted. You might need to re-issue the certificate with a new CSR or import a PFX file if you have one.

Step 5: Bind the New Certificate to Your Website

The final step is to tell IIS to use the new certificate for your website’s HTTPS traffic.

1. In IIS Manager, expand Sites and select the website you want to secure.
2. In the Actions pane, click Bindings….
3. Select the existing https binding for port 443.
4. Click Edit….
5. In the SSL certificate dropdown, select the new certificate using the Friendly name you assigned in Step 4. Ensure the correct hostname is specified if using SNI (Server Name Indication for multiple certs on one IP).
6. Click OK, then Close.

IIS will now start using the new certificate for HTTPS connections to that site. A restart of the website or IIS service is generally not required but may sometimes help if changes don’t take effect immediately.

Step 6: Verify the Installation

Always test the replacement:

• Open your website in multiple browsers using https://. Check for padlock icons and certificate details (issuer, validity dates).
• Use an online SSL checker tool (like SSL Labs SSL Test) to get a detailed analysis of your certificate installation, including the chain.

Step 7: Remove the Old Certificate (Optional)

Once you’ve confirmed the new certificate is working correctly, you can remove the old, expired certificate from IIS to keep things tidy:

1. Go to IIS Manager > Server Certificates.
2. Select the old certificate.
3. In the Actions pane, click Remove. Be absolutely sure it’s the correct certificate and not being used by another site or application.

Wrapping It Up

Performing an IIS Replace Certificate operation involves careful steps, starting with how you create ssl cert request (CSR). By following the process of generating a new CSR, obtaining the certificate, installing intermediates, completing the request in IIS, and binding the new certificate, you can ensure a smooth transition and maintain continuous, trusted security for your website visitors.

Need a new SSL certificate or assistance with the process? Visit SSLRepo for a wide range of trusted certificates and support.

Frequently Asked Questions (FAQ)

Q1: Do I always need to generate a new CSR to replace an IIS certificate?
A: While technically possible to reuse a private key/CSR in some renewal scenarios (if allowed by the CA and your policies), generating a new CSR for each replacement is the recommended security best practice. It ensures a new, unique private key for each certificate lifespan.

Q2: What is the “Friendly Name” when completing the certificate request?
A: It’s simply a label you assign to the certificate within IIS Manager to help you identify it easily, especially if you manage multiple certificates. Including the domain and expiry year (e.g., mydomain.com_2025) is a common practice.

Q3: Where do I install the intermediate certificates?
A: On Windows/IIS servers, intermediate certificates should be imported into the Intermediate Certification Authorities store for the Local Computer account, typically using the MMC Certificates Snap-in.

Q4: My new certificate isn’t showing in the Bindings dropdown after I completed the request. What’s wrong?
A: Check that the certificate import/completion was successful (it should appear in IIS Manager > Server Certificates). Ensure you placed it in the ‘Personal’ store. Also, verify it has a private key associated with it (a key icon should appear next to it in MMC). If not, there might have been an issue pairing it with the key during the ‘Complete Certificate Request’ step.

Q5: Can I use the same private key from my old certificate?
A: It’s generally discouraged for security reasons. Generating a new CSR creates a new private key, reducing risk if the old key was ever compromised. Most replacement procedures assume a new CSR.