Rick Strahl's Weblog  

Wind, waves, code and everything in between...
.NET • C# • Markdown • WPF • All Things Web
Contact   •   Articles   •   Products   •   Support   •   Advertise
Sponsored by:
Markdown Monster - The Markdown Editor for Windows

SSL Certificate Renewal Pain


:P
On this page:

It’s that time of year (actually that time of two years) again and my SSL certificate renewal is up on www.west-wind.com. Late last year I switched to a new Web Server box and in the process switched the server OS too to Windows Server 2008 64 bit. At the time I had no issues taking the certificate from the old server (via PFX export) and importing it to the new server. All’s been well.

When the time came to renew a couple of weeks ago, I just used the IIS 7 Renewal option to issue a renewal CSR to send to my domain registrar DirectNic whom I also use for SSL certs (issued by Commodo). They’ve always been quick to turn around and cheap to boot. I’ve been using them for nearly 10 years now without any sort of issues.

This certificate renewal however proved to be more complicated. IIS 7 has an option to renew an existing certificate which is supposed to take all the information from the existing certificate and create a certificate renewal request from that data. The idea is that you don’t have to re-fill the typical renewal form where you specify the organizational unit, name and so on. Here’s the cert screen in IIS 7:

CertRenewal

However as it turns out this renewal request caused me all sorts of problems with DirectNic (and possibly with any other cert reseller). The first issue I ran into is that the CSR generated by the renewal request is unexpectedly massive. Here’s a (purposefully munged) CSR renewal request generated by the Renew option:

-----BEGIN NEW CERTIFICATE REQUEST-----
MEIDXAYJKfZIhvcNAQc4oIIQTsCsEakCAQExCzAJBgUrDgMCGgUAMIIJYQYJKoZI
hvcNAQcBoIsJUgSCCU4wgglKMIIIswIBADCB8DELMAkGA1UEBhMCVVMxDjAMBgNV
BBEMBTk2Nzc3MQ8wDQYDVQQIDAZIYXdhaWkxDTALBgNVBAcMBFBhaWExFzAVBgNV
BAkMDjMyIEthgWVhIFBsYWNlMR8wHQYDVQQKDBZXZXN0IFdpbmQgVGVjaG5vbG9n
aWVzMQwwCgYDVsQLDANXZWIxLDAqBgNVBAsMI1BysdZpZGVkIGJ5IEludGVyY29z
bW9zIE1lZGlhIEdyb3VwMR8wHQYDVQQLDBZEaXJlY3QgTklDIFByZW1pdW0gU1NM
MRowGAYDVQQDDBc3d3cud2VzdC13aW5kLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAtB7cghOTNzyA43VnUiqZg27edNZcOfszZIAf3ohbGaaTXaShAfcY
SuPIPFOQXqYeGgBOaKB0n8nTZbuAvxdkx/iqqaEpcewTnZPJwbG2kQj/7zKV+AQ3
gUNciKCEdA7LLKG/zx2j4ul3KN75fFI+xA9Pjtt5W3OPssJ81Xo3MzsCAwEAAaCC
BxcwGgYKKwYBBAGCNw0CAzEMFgo2LjAuNjAwMS4yMDsGCSsGAQQBgjcVFDEuMCwC
AQUMCFdXU0VSVkVSDBBXV1NFUlZFUlxyc3RyYWhsDAtJbmV0TWdyLmV4ZTBmBgor
BgEEAYI3DQICMVgwVgvIBAh5OAE0AaQBjAHIAbwBzAG8AZgB0ACAAUwB0AHIAbBu
AGcAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQBy
AwEAMIHIBgkqhkiG9w0BCQ4xgbowgbcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBEGCWCGSAGG+EIB
AQQEAwIGwDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBDArMCkGCCsGAQUFBwIB
Fh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzAdBgNVHQ4EFgQUPjTKrpT3
v31eMIfeUvf7rEJwdC8wggWHBgkrBgaEEAYI3DQExggV4MIIFdDCCBFygAwIBAIR
APPIFrT1aX+hrWTFYtyr/CQwDQYJKoZahvcNAQEFBQAwgZcxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxHjAcBgNVBAoT
FVRoZSBVU0VSVFJVU1QgTmV0d29yazEaMB8GA1UECxMYaHR0cDovL3d3dy51c2Vy
dHJ1c3QuY29tMR8wHQYDVQQDExZVVE4taVNFUkZpcnN0LUhhcmR3YXJlMB4XDTA3
MDEwOTAwMDAwMFoXDTA5MDEyMTIzNTk1OxowgfAxCzAJBgNVBAYTAlVTMQ4wDAYD
VQQREwU5Njc3OTEPMA0GA1UECBMGSGF3YWapMQ0wCwYDVQQHEwRQYWlhMRcwFQYD
VQQJEw4zMiBLYWllYSBQbGFjZTEfMB0GA1UcChMWV2VzdCBXaW5kIFRlY2hub2xv
Z2llczEMMAoGA1UECxMDV2ViMSwwKgYDVQQLEyNQcm92aWRlZCBieSBJbnRlcmNv
c21vcyBNZWRpYSBHcm91cDEfMB0GA1UECxMWcGlyZWN0IE5JQyBQcmVtaXVtIFNT
TDEaMBgGA1UEAxMRd3d3Lndlc3Qtd2luZC5jbaasgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAL6NpXybW+30l3F7UjO0w7m3K5AAuiacZSe48jOsN5md+5vadVWo
1Oz7zaB0U7FqYS4UhFs9m3OpcENl/vB50NgUq0gANJ8xVhJYHXR52YtQuS8oO8yB
9tX2mJ7P9NVQSURAUtUQrK4zlxjpeVjgoTnWLG0PRjbUje2LYa38vHHjAgMBAAGj
ggHiMIIB3jAfBgNVHSMEGDAWgBShcl8mGyiYQ5VdBzfVhZadS9LDRTAdBgNVHQ4E
FgQUSmnmSGFE2jkt5m8kNuvjFju0pAkwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBEGCWCGSAGG+EIB
AQQEAwIGwDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBDArMCkGCCsGAQUFBwIB
Fh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzB7BgNVHR8EdDByMDigNqA0
hjJodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9VVE4tVVNFUkZpcnN0LUhhcmR3YXJl
LmNybDA2oDSgMoYwaHR0cDovL2NybC5jb21vZG8ubmV0L1VUTi1VU0VSRmlyc3Qt
SGFyZHdhcmUuY3JsMIGGBggrBgEFBQcBAQR6MHgwOwYIKwYBBQUHMAKGL2h0dHA6
Ly9jcnQuY29tb2RvY2EuY29tL1VUTkFkZFRydXN0U2VydmVyQ0EuY3J0MDkGCCsG
AQUFBzAChi1odHRwOi8vY3J0LmNvbW9kby5uZXQvVVROQWRkVHJ1c3RTZXJ2ZXJD
QS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAFAgyy1j4gbaLJoL/GazwGIIKxmor1Ez
N68w2TvKTj0n7QgVqE7gWyZ3dZ0hw7TOAUgFXkziZgApIukD3gkyc2LARRXaZUCG
GxesQZLCtbVhf3E4lU8MlBM2d79C3u3C5Mew5NvvTmdZM03HfV7wsRREWa7R57J4
6lPDDZQEUSTdX9BoKCBN8IEi9hbSHCg47AF0YbnN/e/GjFSiMOmLFh2my49DVvFU
ylUjD47LjukX0OZfZBGy8Hl8ZCddiBychVi9YH9mcq+Gw3o9xpMsEc8aLAnrS5ax
+uuI5IgQSKTzdlwwwItSNb+SUtjln9ZsRLmnOuL0DZT8jA/Pjud+YmEwDQYJKoZI
hvcNAQEFBQADgYEAJQeKCrcMmGh1HbNYKD73E4T306URp26TmW1FQWNLCwL3UoHw
DBF21RuxcASotH37i9gHJjEW0zMlDy1Q2wp9C5qv6muneVbYaM1S52Oii1TTefIq
7CdWFqnb+ruC8wGSs/1OOAVBn5ynCFQE8npp062uF/BldabLR6pp2gEDXT+gggV4
MIIFdDCCBFygAwIBAgIRAPPIFrT1aX+hrWTFYtyr/CQwDQYJKoZIhvcNAQEFBQAw
gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl
IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY
aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0
LUhhcmR3YXJlMB4XDTA3MDEwOTAwMDAwMFoXDTA5MDEyMTIzNTk1OVowgfAxCzAJ
BgNVBAYTAlVTMQ4wDAYDVQQREwU5Njc3OTEPMA0GA1UECBMGSGF3YWlpMQ0wCwYD
VQQHEwRQYWlhMRcwFQYDVQQJEw4zMiBLYWllYSBQbGFjZTEfMB0GA1UEChMWV2Vz
dCBXaW5kIFRlY2hub2xvZ2llczEMMAoGA1UECxMDV2ViMSwwKgYDVQQLEyNQcm92
aWRlZCBieSBJbnRlcmNvc21vcyBNZWRpYSBHcm91cDEfMB0GA1UECxMWRGlyZWN0
IE5JQyBQcmVtaXVtIFNTTDEaMBgGA1UEAxMRd3d3Lndlc3Qtd2luZC5jb20wgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6NpXybW+30l3F7UjO0w7m3K5AAuiac
ZSe48jOsN5md+5vadVWo1Oz7zaB0U7FqYS4UhFs9m3OpcENl/vB50NgUq0gANJ8x
VhJYHXR52YtQuS8oO8yB9tX2mJ7P9NVQSURAUtUQrK4zlxjpeVjgoTnWLG0PRjbU
je2LYa38vHHjAgMBAAGjggHiMIIB3jAfBgNVHSMEGDAWgBShcl8mGyiYQ5VdBzfV
hZadS9LDRTAdBgNVHQ4EFgQUSmnmSGFE2jkt5m8kNuvjFju0pAkwDgYDVR0PAQH/
BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMBEGCWCGSAGG+EIBAQQEAwIGwDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgED
BDArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzB7
BgNVHR8EdDByMDigNqA0hjJodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9VVE4tVVNF
UkZpcnN0LUhhcmR3YXJlLmNybDA2oDSgMoYwaHR0cDovL2NybC5jb21vZG8ubmV0
L1VUTi1VU0VSRmlyc3QtSGFyZHdhcmUuY3JsMIGGBggrBgEFBQcBAQR6MHgwOwYI
KwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL1VUTkFkZFRydXN0U2Vy
dmVyQ0EuY3J0MDkGCCsGAQUFBzAChi1odHRwOi8vY3J0LmNvbW9kby5uZXQvVVRO
QWRkVHJ1c3RTZXJ2ZXJDQS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAFAgyy1j4gba
LJoL/GazwGIIKxmor1EzN68w2TvKTj0n7QgVqE7gWyZ3dZ0hw7TOAUgFXkziZgAp
IukD3gkyc2LARRXaZUCGGxesQZLCtbVhf3E4lU8MlBM2d79C3u3C5Mew5NvvTmdZ
M03HfV7wsRREWa7R57J46lPDDZQEUSTdX9BoKCBN8IEi9hbSHCg47AF0YbnN/e/G
jFSiMOmLFh2my49DVvFUylUjD47LjukX0OZfZBGy8Hl8ZCddiBychVi9YH9mcq+G
w3o9xpMsEc8aLAnrS5ax+uuI5IgQSKTzdlwwwItSNb+SUtjln9ZsRLmnOuL0DZT8
jA/Pjud+YmExggFUMIIBUAIBATCBrTCBlzELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJU
UlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20x
HzAdBgNVBAMTFlVUTi1VU0VSRmlyc3QtSGFyZHdhcmUCEQDzyBa09Wl/oa1kxWLc
q/wkMAkGBSsOAwIaBQAwDQYJKoZIhvcNAQEBBQAEgYA3QlWyHLnF3C/VpVVwPHlQ
+u5QWke8WL2BmtiyWEwGdxBNtwI0S2iuqjE+JoFqTunzEFLLoetoWaMjzBEY1o1W
v13ASICOuUyzOMZwu1NSVQ9gPln1oesVzqn9eaRksLK72aasaE+09k9hqRvi85NS
pdbtSjuL+upPIcKlminI2Q==
-----END NEW CERTIFICATE REQUEST-----

The fist thing that sticks out on this is that the certificate request is huge! A typical CSR issued usually is a quarter of this size. In fact it’s so huge that it didn’t fit the submission form of the DirectNic site. Ooops (on DirectNic’s part).  Of course I didn’t notice the cut off on the bottom of DirectNic’s form at first so there were a few tries back and forth and eventually I ended up emailing the certificate to DirectNic.

The next problem was that DirectNic came back and told me that the certificate request was for west-wind.com, not www.west-wind.com. They basically take the cert request and set it up for submission to Commodo for issuance of the final certificate and as part of the process the verify the information for the domain submitted and what’s actually entered into the certificate.

Now the odd thing is: The IIS 7 renewal process doesn’t give me any options to change the certificate settings – I just select Renew and it asks for a file name to dump the Cert request to, so it’s not something I could have changed. Yet after repeated resends and regenerations DirectNic claims the cert renewal contains just the base domain name without the www. in front. Yet the old certificate definitely DOES have www.west-wind.com as the secured domain.

FAIL.

After over a week of back and forth I finally decided to create a new certificate request rather than trying to use the IIS renewal. Creating a new cert in general seems to be a better idea:

CreateNewCert

and then re-filling the certificate information manually. I always crack up on this form – talk about obtuse terminology: Organizational Unit? Common Name?

Today finally the final certificate arrived and I installed it into the server with 1 day to spare. Phew.

Anyway I’m curious if any anybody else has experienced  this behavior with IIS 7 renewals, where the domain name gets somehow munged in the renewal request? It certainly seems that IIS 7 is doing something funky with these renewal requests – just the size of the CSR makes one wonder WTF is happening there. But really I wonder if there’s a problem with IIS 7 or whether the problem actually occurred with DirectNic’s parsing of the submitted CSR although I find that hard to believe – the data is encoded and if something isn’t right it won’t decode partially, so it would seem this is an IIS issue.

After all the early years of problems with the IIS certificate renewal process I figured by now in  IIS 7 this process would be fixed. In fact, the FAQ at DirectNic pointed out that servers prior to IIS 6 shouldn’t use renewals but new requests but that IIS 6 (7 isn’t mentioned yet) has this working. Apparently in IIS 7 there are a still some issues with renewals not working quite right.

For now, I’m making a mental note: Certificate renewals are best done by recreating a certificate requests from scratch.

Posted in IIS7  Security  

The Voices of Reason


 

Speednet
January 21, 2009

# re: SSL Certificate Renewal Pain

How funny, I just went through this myself - yesterday and today.

I had some similar problems, and also noticed the large renew CSR. But I also had a dfferent problem.

My first issue was just finding the renew option. It is the first renewal I've done using IIS7, with all my previous renewals being done on IIS6. Just finding the right icon was a chore, and I actually had to look it up in my Wrox Professional IIS7 book. (A great book, BTW.)

So, instead of renewing inside the web site where the certificate is used (like IIS6), you have to go into the settings page for the entire server, and go into Server Certificates.

Then, it takes a few moments just to discern "renew" from the rest of the options. Too much redundancy and confusion there. I was also thrown by the lack of options or description in the renew window.

So I renewed, but when I pasted and submitted the CSR in my provider's renewal page, I got a nondescript XML error. After a few rounds with technical support, it turns out that I needed to forget using renew, and use "create new" instead.

The problem is that my certificate is an EV (Extended Validation) certificate, and the old one has a 1024 bit key. The new rules are that for any EV cert expiring in 2010 or later, you need a key size of 2048 bits. (A good move, but like Jodie Foster in Contact, I had no idea.)

So I generated a new CSR, and everything worked great from there.

Overall, my biggest problem with the process was the location and layout of the feature. Too hard to find, and once you get there, not very well laid out.

Dennis
January 22, 2009

# re: SSL Certificate Renewal Pain

Rick,

Funny you post something like this. I had the same issue last week and am still having issues. In my case I have a wildcard ssl cert. I have to install it on several servers and now I have an IIS7 server. Guess what, you can't just add it like you could in IIS6 (Or at least I haven't found a way to do it). From what I have gathered so far, you have to re-create a new cert send it to be re-keyed for IIS7. Not fun at al!

Matias Nino
January 22, 2009

# re: SSL Certificate Renewal Pain

Just tried "RENEW" via IIS7 with my Godaddy.com' ssl cert. I got an "Error retrieving CSR information" message after submitting the pasted form. The CSR all fit in their textarea too so I'm not sure what could've gone wrong.

What a painful process! I want ONE CLICK RENEWAL!

DotNetShoutout
January 25, 2009

# SSL Certificate Renewal Pain - Rick Strahl's Web Log

Thank you for submitting this cool story - Trackback from DotNetShoutout

Scott Rogers
February 18, 2009

# re: SSL Certificate Renewal Pain

The reason that your CSR is so long is that the renew function in IIS7 is generating the key with a bit length of 4096 rather than something like 1024 or 2048. <em>Why</em> it's doing that I'm not sure. Still looking.

Chris Macaulay [MSFT]
May 07, 2009

# re: SSL Certificate Renewal Pain

We've been trying to address this scenario in particular with some of the new features we've got in Windows Server 2008 R2. We've got a session at TechEd 2009 "PKI in a Web Services World" where we'll demonstrating the work Microsoft and GlobalSign have done to pull together automatic renewal and automatic certificate roll-over in IIS using the Certificate Enrollment Web Services that are new in Windows 7 and Windows Server 2008 R2. The content will be available online after the conference, and the feature is ready to go in box with the RC release. It isn't a perfect solution for all SSL scenarios, but it definitely addresses your pain points head on.

Cheers,
Chris Macaulay
Program Manager, Windows Security
Microsoft

Vincent Mayfield
June 20, 2009

# re: SSL Certificate Renewal Pain

This is pretty Lame! I just got bit by this one as well. You are correct, Rick that the terminology is grossly obtuse. What really irritates me is that there is still no KB from Microsoft. I wasted a lot of time until I found Ricks Blog.

I am a big MS Fan, but I really do not understand the post by Chris. Does this mean that the Renewal is misnamed in IIS7 in favor of some new SSL Security Feature that is to be addressed or named in Windows Server 2008 R2? The IIS7 Team needs to address this somewhere and let people know

terence
July 24, 2009

# re: SSL Certificate Renewal Pain

i, too, now share your pain. you all have saved me a lot of time.

Geo
September 14, 2009

# re: SSL Certificate Renewal Pain

I had the same problem trying to renew a my godaddy ssl certificate for my IIS7 server. Same scenario, the original cert was exported from IIS6 when the server was upgraded to Win2008. The renew option kept failing cause the csr was not 2048. I finally figured out that I had to create a new certificate request from within IIS7. Once I did this, I just followed godaddy's insturctions for renewal and installation.
What a confusing hassle. Why doesn't IIS7 let you choose the size of the csr?

Bob Kennedy
September 24, 2009

# re: SSL Certificate Renewal Pain

This is a complete brain fart on Microsoft's part. Verisign won't accept IIS 7 renewal CSR's from Microsoft. Verisign and Microsoft, is anybody listening? This a complete failure of two large companies.

Jason DeVries
December 03, 2009

# re: SSL Certificate Renewal Pain

There is a blog entry from Andreas Klein that describes the problem and some additional work-arounds.

http://blogs.msdn.com/andrekl/archive/2009/09/22/iis7-ssl-and-renewal.aspx

rich weissler
February 15, 2010

# re: SSL Certificate Renewal Pain

Yep... thanks for the entry -- I'm running into this exact problem now as well.

rich weissler
February 15, 2010

# re: SSL Certificate Renewal Pain (final bit missing from Andreas Klein blog)

> 2) Use the renew button and run this command on the resulting file:
> certutil –split yourfile.csr
> Now use the Blob0_1.p10 file this generates in your current directory as the CSR for your
> CA using the returned certificate in the inetmgr certificate management UI to complete the
> renewal.

If you need a base64 encoded text block to send this to a CA:

certutil -encode Blob0_1.p10 <YourOutputFileName>

fraser
August 10, 2010

# re: SSL Certificate Renewal Pain

This one just bit me too. Why do CA's hand out bogus information, GoDaddy sent me on my merry way with the standard IIS7 renewal route, little did I know what I was in for. Thanks for the help on this site.

Mark
September 06, 2010

# re: SSL Certificate Renewal Pain

This worked great! Thanks.

Renew the certificate and then:
certutil –split yourfile.csr
certutil -encode Blob0_1.p10 <YourOutputFileName>

Dave
January 06, 2011

# re: SSL Certificate Renewal Pain

7 Jan 2011 and have the exact same issue you posted about 2 years ago :(

Lee
February 03, 2011

# re: SSL Certificate Renewal Pain

Ditto... I can't believe Verisign hasn't updated to *at least* tell you what to do to fix it, if not actually handle the longer CSR. Google searches led me here. Worked like a charm, of course.

Thanks much for the posts, folks!

Walden
February 09, 2011

# re: SSL Certificate Renewal Pain

Awesome, the split/encode worked like a charm -- at least enough for GoDaddy to tell me I still had a 1024-bit cert. But that was improvement! Thanks a ton!

subcientifico
March 21, 2011

# re: SSL Certificate Renewal Pain

I had the same problem with a GoDaddy Renewal on IIS 7 (Windows 2008). Option 1 *sparingly* explained at http://blogs.msdn.com/b/andrekl/archive/2009/09/22/iis7-ssl-and-renewal.aspx worked excellently for me. GoDaddy has an option to renew using the CSR they have on file; the crt file from this worked fine with Option 1; in the interim no change in OS or bit length.

Alex Foley
February 11, 2012

# re: SSL Certificate Renewal Pain

Clearly MS has got some kind of brainfart here. This was never an issue in IIS 6 or previous. I even used IIS 1.0. I almsot hi the wall on renewing my site http://www.smokee.com/. I am glad I didn't over-think this too long or I would have missed my renewal window.

russ
July 04, 2012

# re: SSL Certificate Renewal Pain

I pressed the renew button in IIS7.5 on a 2048 bit cert. Pasted that file into the renew screen on my ssl provider, and I get "The CSR uses an unsupported key size!"
I also tried to split the CSR using the instructions from Andreas Klein. Still the same error.
Checked out my csr here, and it tells me I have a 1024 bit key: :(
https://secure.comodo.net/utilities/decodeCSR.html

I'll just create a whole new cert. Disappointing renew doesn't work.

Cameron Moore
January 08, 2013

# re: SSL Certificate Renewal Pain

Just ran into the same problem. Easiest solution is to not use the MS interface. I've found Digicert's Cert Utility very handy at renewing certs. Details here: http://www.digicert.com/util/ssl-certificate-renewal-using-util-iis-7.htm

I started moving our certs to Digicert last year (mainly because I liked how easy they made everything), and this is my first time renewing with them. I stumbled over the MS interface today until I remembered Digicert's utility.

Rick Strahl
January 08, 2013

# re: SSL Certificate Renewal Pain

@Cameron - good idea, but kinda pricey. That's nearly triple what I pay for a cert...

West Wind  © Rick Strahl, West Wind Technologies, 2005 - 2024