Archive | August, 2011

How to increase your CSR key size on Microsoft IIS without removing the production certificate?

After switching certificate providers, I ran into a small issue when trying to renew an SSL certificate that had previously been generated with a Certificate Signing Request (CSR) key size of 1024 bits. SSL provider’s now recommend creating a CSR with a key size of 2048-bits or greater.  For example, here’s the verbiage from GlobalSign’s page:

GlobalSign’s root keys and intermediate issuing CA’s have been 2048 bit since 1998. In order to comply with today’s best practice and minimum standards for security suggested by NIST (National Institute of Standards and Technology) it is highly recommended that end entity certificates should also have 2048 bit RSA keys. Please note that from October 31st 2010 this will be the minimum acceptable level for all keys and as such 1024 bit RSA keys will no longer be allowed by GlobalSign“.

In Microsoft IIS 6.0, yes I know it’s a 10-year-old web server, when renewing a certificate, Microsoft IIS retains some key information from the certificate that has already been installed, including the key size.  In order to change the key size in IIS, you must remove the certificate which has the effect of taking down your website on port 443. The steps below are an alternate way to increase the size of the certificate without causing any downtime to your website.

Part I – Create a Temporary Website

  1. Open IIS Manager
  2. Right-click on the Web Sites folder and select New and Web Site from the drop down menu
  3. The Web Site Creation Wizard will appear.  Click Next
  4. On the Web Site Description screen, type in “Temporary” into the Description field and click Next
  5. On the IP Address and Port Settings screen, leave the defaults as is and click Next
  6. On the Web Site Home Directory screen, click on Browse and then select a folder on the computer and click OK
  7. Click the Next button
  8. On the Web Site Access Permissions screen, uncheck all the boxes and click Next
  9. Click on the Finish
  10. In the IIS Manager window, right-click on the Temporary website you created and select Stop from the drop down menu.

Part II – Create a CSR for the Temporary Website

  1. Open IIS Manager
  2. Right-click on the temporary website that you created in Part I and click on Properties from the drop down menu.
  3. On the Temporary website properties window, click on the Directory Security tab
  4. On the Secure communications section, click Server Certificate
  5. The Welcome to the Web Server Certificate Wizard will appear. Click Next
  6. On the Server Certificate screen, select Create a new certificate and click Next
  7. On the Delayed or Immediate Request screen, select Prepare the request now, but send it later and click Next
  8. On the Name and Security Settings screen:
    • Enter a Friendly Name for your certificate e.g. Website Name. This is useful when identifying the certificate in Part IV
    • From the Bit length drop down select the bit length value recommended by your SSL certificate provider e.g. 2048
    • Leaving the Select cryptographic service provider (CSP) for this certificate unchecked
    • Click Next
  9. On the Organization Information screen:
    • Enter the name of the company in the Organization field
    • Enter the name of the department in the Organizational unit field
    • Click Next
  10. On the Your Site’s Common Name screen, enter the website address or Fully Qualified Domain Name (FQDN) for your site. e.g. temporary.com and click Next
  11. On the Geographical Information screen:
    • Select the country of your organization from the Country/Region drop down
    • Select the State/ province of that country
    • Select the City/ locality
    • Click Next
  12. On the Certificate Request File Name screen, select a location to save the CSR file. To do this:
    • Click on Browse and then select a folder on the computer and click OK
    • Click Next
  13. On the Request File Summary screen, you will see a summary of the certificate details.  Click Next to generate the CSR file
  14. Click Finish
  15. Follow the instructions from your SSL provider’s website to submit the CSR contents. Your SSL provider will typically send you an e-mail with the certificate details and ask you to save this as a file to a location on your computer.

Part III – Install the SSL certificate on the Temporary Website

  1. Open IIS Manager
  2. Right-click on the temporary website that you created in Part I and click on Properties from the drop down menu.
  3. On the Temporary website properties window, click on the Directory Security tab
  4. In the Secure communications section, click Server Certificate
  5. The Welcome to the Web Server Certificate Wizard will appear. Click Next
  6. On the Pending Certificate Request screen, select Process the pending request and install the certificate and click Next
  7. On the Process a Pending Request screen, click on Browse and then select the path to the file containing the certificate details and click OK
  8. Click Next
  9. On the SSL Port screen, leave the SSL port as displayed and click Next
  10. On the Certificate Summary screen click Next
  11. Click Finish

Part IV – Assign the SSL Certificate to the Production Website

  1. Open IIS Manager
  2. Right-click on the production website that was setup with the old 1024-bit certificate and click on Properties from the drop down menu.
  3. On the production website properties window, click on the Directory Security tab
  4. In the Secure communications section, click Server Certificate
  5. The Welcome to the Web Server Certificate Wizard will appear. Click Next
  6. On the Modify the Current Certificate Assignment screen, select Replace the current certificate and click Next
  7. On the Available Certificates screen, select the newly installed certificate based on the friendly name that you provided in Part II and click Next
  8. On the Replace Certificate screen, click Next
  9. On the production website Properties screen, click OK
  10. Test the production website in a browser to confirm that the certificate was successfully applied

Part V – Delete the Temporary Website

  1. Open IIS Manager
  2. Right-click on the temporary website that you created in Part I and click on Delete from the drop down menu.
  3. When prompted with “Are you sure you want to delete this item?” click Yes