Renewing Your Security: Generate CSR on Windows & Update SSL Certificate in IIS

SSL/TLS certificates are the foundation of website security, but they don’t last forever. They have expiration dates, and letting one lapse can lead to security warnings, loss of user trust, and potential traffic decline. The process of renewing or updating your certificate on a Windows Server using IIS involves two crucial phases: first, you need to Generate CSR on Windows for the renewal, and second, you must install the new certificate and Update SSL Certificate settings within IIS to use it.

This guide provides a complete walkthrough for Windows Server administrators on generating a fresh CSR and successfully updating an expiring SSL certificate in IIS Manager.

Key Takeaways

• Renewal Requires a New CSR: For security best practices, always generate a new Certificate Signing Request (CSR) when renewing or updating an SSL certificate. Do not reuse an old CSR.
• Generate CSR in IIS: Use the “Create Certificate Request…” wizard within IIS Manager on the server where the certificate will be used.
• Use Consistent Information: When generating the renewal CSR, use the exact same Distinguished Name information (Common Name, Organization, etc.) as the original certificate, unless your organization’s details have legally changed.
• Install New Certificate: After the CA issues the renewed certificate, install it using “Complete Certificate Request…” in IIS. Give it a unique Friendly Name (e.g., include the year) to distinguish it from the old one.
• Update Site Binding: This is the critical step. Edit the existing HTTPS binding (port 443) for your website and select the newly installed certificate from the dropdown list.
• Cleanup (Recommended): After confirming the update, remove the old, expired certificate from the server store.

Why Update Your Certificate & Why a New CSR?

SSL certificates have defined validity periods (currently often one year) for security reasons. ^^[CA/Browser Forum Baseline Requirements limit maximum certificate validity]^^ Regular renewal ensures that the validation information associated with the certificate is reasonably current and allows for the adoption of newer security standards over time.

Generating a new CSR for each renewal is vital because:

1. New Key Pair: It forces the creation of a new, unique public/private key pair. Reusing old keys increases the potential attack surface if the old key was ever compromised. ^^[Security best practices universally recommend generating new keys for renewals]^^
2. Compliance: Many CAs and security standards require a new CSR for renewal.

Part 1: Generate CSR on Windows (for Renewal)

Follow these steps on the IIS server hosting the website whose certificate you are renewing.

Information Needed (Match Existing Certificate):

Gather the exact details used for the current certificate:

• Common Name (CN): The FQDN (e.g., www.yourdomain.com, secure.app.yourdomain.com, *.yourdomain.com). Must be identical to the expiring certificate.
• Organization (O): Legal company name.
• Organizational Unit (OU): Department (e.g., IT).
• City/Locality (L): City name.
• State/Province (S): State name.
• Country/Region (C): Two-letter ISO code.

Tip: You can view the details of your current certificate in IIS Manager (Server Certificates > double-click certificate) or in your browser by inspecting the current site’s certificate details.

Step-by-Step CSR Generation in IIS:

1. Open IIS Manager (inetmgr).
2. Click the Server Name (left pane).
3. Double-click Server Certificates (center pane).
4. Click Create Certificate Request… (right pane Actions).
5. Enter Distinguished Name Properties: Carefully enter the exact same information as your expiring certificate. Any discrepancy (especially in CN) can cause validation issues. Click Next.
6. Set Cryptographic Properties:
   • Provider: Microsoft RSA SChannel Cryptographic Provider.
   • Bit length: 2048 or higher (match or exceed your previous cert’s strength).
   • Click Next.
7. Save the CSR File: Choose a location and file name (e.g., C:\CSRs\yourdomain_com_renewal_csr_2025.txt). Click Finish.

Action Required:

• Copy the entire content of the generated CSR file.
• Use this CSR text when placing your renewal order with your Certificate Authority (like SSLRepo). Specify it’s a renewal if prompted, but submit the new CSR.

Part 2: Update SSL Certificate in IIS (Install & Bind)

After your CA validates the renewal request using the new CSR and issues the updated certificate, you’ll receive the new certificate files (e.g., .p7b, .crt).

Step 2.1: Install the Renewed Certificate

1. Download & Transfer: Get the renewed certificate file(s) from your CA and place them on your IIS server.
2. Open IIS Manager > Server Certificates.
3. Click Complete Certificate Request… (Actions pane).
4. Specify Certificate Details:
   • Browse to the new certificate file (e.g., yourdomain_com_2025.p7b).
   • Friendly name: Crucially, give it a unique name that distinguishes it from the old certificate. Include the domain and year, e.g., yourdomain.com (Expires 2026-08) or yourdomain.com_2025. This makes selection in the next step easy.
   • Certificate store: Personal.
   • Click OK.
5. Verify: You should now see both your old certificate and the newly installed one (with its distinct friendly name) in the Server Certificates list.

Step 2.2: Update the Website’s HTTPS Binding

This step tells IIS to start using the new certificate for HTTPS traffic.

1. Navigate to Your Site: In IIS Manager (Connections pane), expand Sites and click your website.
2. Open Bindings: In the Actions pane, click Bindings….
3. Edit HTTPS Binding: Select the existing binding for type https (usually on port 443). Click Edit….
4. Select New Certificate: In the “Edit Site Binding” window, find the SSL certificate dropdown menu. Click it and select the Friendly Name you assigned to the newly installed certificate.
5. (Optional) If using SNI, ensure the Host name field is correct.
6. Click OK.
7. Click Close.

Step 2.3: Test the Update

1. Clear Cache/Incognito: Open a new browser window (preferably incognito or after clearing cache) and navigate to your site using https://.
2. Inspect Certificate: Click the padlock icon in the address bar. View the certificate details and verify that the expiration date matches the new certificate you just installed and bound.
3. Online Checker: Use an external SSL checker tool to confirm the correct certificate is being served and the chain is valid.

Part 3: Post-Update Cleanup (Recommended)

Once you’ve confirmed the new certificate is working correctly:

1. Remove Old Certificate: Go back to IIS Manager > Server Certificates. Select the old, expired certificate (using its friendly name) and click Remove in the Actions pane. This prevents accidental selection later.
2. Backup: Export the new certificate with its private key as a password-protected .pfx file (via Server Certificates > Export…) and store it securely offline.

Wrapping It Up

Updating an SSL certificate in IIS is a straightforward process when done correctly. Always remember to Generate CSR on Windows using IIS for each renewal, providing consistent information. After installing the new certificate with a unique friendly name, the most critical step is to Update SSL Certificate binding in IIS to point to the new credential. Regular testing and removing the old certificate complete a successful update, ensuring uninterrupted website security.

Time for renewal? Generate your CSR and visit SSLRepo to easily renew your SSL certificates.

Frequently Asked Questions (FAQ)

Q1: Can I just reuse my previous CSR file for renewal?
A: No, this is strongly discouraged for security reasons. Generating a new CSR creates a new unique key pair, which is a critical security practice for renewals. Most CAs expect a new CSR.

Q2: Do I need to restart IIS after updating the binding?
A: Typically, no. IIS usually applies binding changes immediately without needing a restart. If you encounter issues, restarting the specific website or the W3SVC service might help, but iisreset is often unnecessary.

Q3: I updated the binding, but the browser still shows the old certificate?
A: This could be browser caching (clear cache/use incognito), or you might have selected the wrong certificate in the binding dropdown (double-check the friendly name). In rare cases on multi-server setups (like farms without central store), ensure you updated the binding on all relevant servers.

Q4: What happens if I forget to update the HTTPS binding after installing the new certificate?
A: Your website will continue to use the old certificate associated with the binding. If the old certificate expires, users will start seeing security warnings, even though the new certificate is present on the server but not actively used by the site.

Q5: How do I know which friendly name belongs to the new certificate if I forgot?
A: In IIS Manager > Server Certificates, double-click each certificate. The “General” tab shows the “Valid from” and “Valid to” dates. Find the one with the future expiration date – that’s your new certificate. Note its Friendly Name listed in the main window.