Step-by-Step Guide: IIS Replace Certificate – How to Generate CSR and Install

Your SSL certificate’s expiry date is approaching, or maybe it’s time for an upgrade? Performing an IIS Replace Certificate task is fundamental for maintaining seamless website security. A critical first step in this process is often overlooked or misunderstood: you typically need to generate CSR (Certificate Signing Request) directly on your IIS server before you can obtain and install the new certificate.

Skipping the CSR generation or trying to reuse an old one can lead to complications or security vulnerabilities. This guide walks you through the essential steps to properly replace your SSL certificate in IIS, starting with generating a fresh CSR.

Key Takeaways

• Replacement Necessity: Regularly replacing SSL certificates in IIS is vital to avoid expiration warnings and maintain trust.
• Generate CSR First: The standard and most secure practice is to generate CSR anew on your IIS server for each certificate replacement. This creates a new, unique key pair.
• IIS Tools: IIS Manager provides built-in tools for both generating the CSR and completing the certificate installation.
• Full Process: Replacing involves: Generating CSR -> Ordering/Validating Cert -> Installing Intermediates -> Completing Request in IIS -> Binding New Cert.
• Don’t Forget Intermediates: Installing intermediate certificates provided by the CA is crucial for the trust chain.
• Verification is Key: Always test your installation after replacing the certificate.

Why Generate a New CSR for Certificate Replacement?

While some CAs might allow renewals using an old CSR (if their policies and your server setup permit), generating a new one is strongly recommended for several reasons:

1. Security Best Practice: Creates a completely new, unique private key for the new certificate. If the old key was ever compromised (even unknowingly), using a new key prevents carrying over that risk. ^^[NIST SP 800-57 Part 1 Rev. 5 – Recommendation for Key Management]^^
2. Ensures Compatibility: Guarantees the key strength (e.g., 2048-bit or higher) meets current standards.
3. Updates Information: Allows you to update any organizational details embedded in the certificate request if necessary.
4. Smooths Installation: Starting with a fresh CSR generated on the target server generally leads to fewer issues when completing the certificate request later in IIS.

Step 1: Generate CSR in IIS

This is where the “generate csr” part of the process happens.

1. Launch Internet Information Services (IIS) Manager.
2. In the Connections pane (left side), select your server’s hostname.
3. In the center pane under the IIS section, double-click Server Certificates.
4. In the Actions pane (right side), click Create Certificate Request…. This opens the Request Certificate Wizard.
5. Fill out the Distinguished Name Properties carefully and accurately:
   • Common Name (CN): The fully qualified domain name (FQDN) you want to secure (e.g., www.yourdomain.com, secure.yourdomain.com). This must match the web address users access.
   • Organization (O): Your official registered company name.
   • Organizational Unit (OU): The relevant department (e.g., IT Department, Web Security).
   • City/locality (L): The city where your organization is legally located.
   • State/province (S): The state or province (spell out fully, e.g., California, not CA).
   • Country/region (C): The two-letter ISO country code (e.g., US, GB, DE).
6. Click Next.
7. On the Cryptographic Service Provider Properties screen:
   • Leave the Cryptographic service provider as Microsoft RSA SChannel Cryptographic Provider (standard).
   • Set the Bit length to 2048 or higher (2048 is the industry minimum standard).
8. Click Next.
9. Click the … button to specify a file name and location where you want to save the CSR text file (e.g., C:\Certificates\yourdomain_csr_2025.txt). Remember this location.
10. Click Finish.

You have now successfully generated a new CSR and its corresponding private key (which IIS manages securely in the background). The text file you saved contains the CSR needed to order your certificate.

Step 2: Order Your Replacement Certificate

Use the content of the .txt file you just created to order your SSL certificate from your chosen Certificate Authority (CA), such as SSLRepo.

1. Open the CSR file with a text editor (like Notepad).
2. Copy the entire block of text, including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.
3. Go to your CA’s ordering portal (SSLRepo.com, for example).
4. Select the type of certificate you need.
5. During the configuration/order process, paste the copied CSR text when prompted.
6. Complete any required domain validation or organization vetting procedures.
7. Once approved, the CA will issue your certificate files (usually .cer or .crt) and the necessary intermediate certificates.

Step 3: Install Intermediate Certificates

This is a crucial step often missed. Before installing your main certificate, install the intermediate(s) provided by the CA.

1. Download the intermediate certificate(s) from your CA.
2. Open MMC (Microsoft Management Console): press Win + R, type mmc, hit Enter.
3. Go to File > Add/Remove Snap-in…. Add the Certificates snap-in for the Computer account (Local Computer).
4. Navigate to Certificates (Local Computer) > Intermediate Certification Authorities > Certificates.
5. Right-click Certificates > All Tasks > Import…. Follow the wizard to import the intermediate certificate file(s) you downloaded.

Step 4: Complete the Certificate Request in IIS

Now, install the actual certificate issued by the CA.

1. Download the server certificate file (.cer or .crt) from your CA.
2. Return to IIS Manager > Server Certificates.
3. In the Actions pane, click Complete Certificate Request….
4. Browse to the .cer or .crt file you downloaded from the CA.
5. Provide a Friendly name. Make it descriptive, e.g., yourdomain.com Exp2025-10. This helps you identify it later.
6. Select the Personal certificate store from the dropdown.
7. Click OK. The new certificate should now appear in the list, replacing the pending request.

Step 5: Bind the New Certificate in IIS

Tell IIS to use the newly installed certificate for your website.

1. In IIS Manager, expand Sites and click on the specific website.
2. In the Actions pane, click Bindings….
3. Select the https binding (usually on port 443).
4. Click Edit….
5. From the SSL certificate dropdown menu, select the new certificate using the Friendly name you assigned.
6. Ensure the correct Host name is specified if you use SNI (Server Name Indication).
7. Click OK, then Close.

Step 6: Verify the Replacement

Thoroughly test that the new certificate is active:

• Access your site via https:// in different web browsers. Check the padlock icon and view the certificate details (expiry date, issuer).
• Use an external SSL checker tool (like Qualys SSL Labs) to analyze the installation and chain.

Step 7: Remove the Old Certificate (Optional Cleanup)

After confirming the new certificate works perfectly, you can remove the expired one from IIS:

1. Go to IIS Manager > Server Certificates.
2. Select the old, expired certificate.
3. Click Remove in the Actions pane. Double-check you are removing the correct one!

Wrapping It Up

Replacing an SSL certificate in IIS is a systematic process where successfully completing the IIS Replace Certificate task relies heavily on correctly executing the initial generate CSR step. By creating a fresh CSR, obtaining the certificate, installing intermediates, completing the request, and binding the new certificate, you ensure your website remains secure, trusted, and free from disruptive SSL warnings.

For trusted SSL certificates and expert support for IIS, visit SSLRepo.

Frequently Asked Questions (FAQ)

Q1: Can I skip generating a new CSR and just renew?
A: While some CAs offer “renewal” options that might seem simpler, generating a new CSR on your IIS server is the most secure and recommended practice for replacing a certificate. It ensures a new private key is used.

Q2: What is the “Common Name” in the CSR?
A: It’s the primary Fully Qualified Domain Name (FQDN) the certificate will secure, like www.yourdomain.com. It must exactly match how users access your site via HTTPS.

Q3: What if I get an error when clicking “Complete Certificate Request”?
A: Common causes include: trying to complete the request on a different server than where the CSR was generated, the original request being deleted from IIS’s pending queue, or using the wrong certificate file. Ensure you are on the correct server and using the .cer/.crt file provided by the CA specifically for your CSR.

Q4: Where does IIS store the private key generated with the CSR?
A: IIS manages the private key securely within the Windows certificate store, linking it to the pending request. When you complete the request, the public certificate is paired with this securely stored private key.

Q5: Do I need to restart IIS after replacing the certificate?
A: Usually, no. Changes to site bindings in modern IIS versions typically take effect immediately or within a few seconds. However, if you encounter issues, restarting the specific website or the IIS service can sometimes help.