It’s that time of year (actually that time of two years) again and my SSL certificate renewal is up on www.west-wind.com. Late last year I switched to a new Web Server box and in the process switched the server OS too to Windows Server 2008 64 bit. At the time I had no issues taking the certificate from the old server (via PFX export) and importing it to the new server. All’s been well.

When the time came to renew a couple of weeks ago, I just used the IIS 7 Renewal option to issue a renewal CSR to send to my domain registrar DirectNic whom I also use for SSL certs (issued by Commodo). They’ve always been quick to turn around and cheap to boot. I’ve been using them for nearly 10 years now without any sort of issues.

This certificate renewal however proved to be more complicated. IIS 7 has an option to renew an existing certificate which is supposed to take all the information from the existing certificate and create a certificate renewal request from that data. The idea is that you don’t have to re-fill the typical renewal form where you specify the organizational unit, name and so on. Here’s the cert screen in IIS 7:

However as it turns out this renewal request caused me all sorts of problems with DirectNic (and possibly with any other cert reseller). The first issue I ran into is that the CSR generated by the renewal request is unexpectedly massive. Here’s a (purposefully munged) CSR renewal request generated by the Renew option:

-----BEGIN NEW CERTIFICATE REQUEST-----
MEIDXAYJKfZIhvcNAQc4oIIQTsCsEakCAQExCzAJBgUrDgMCGgUAMIIJYQYJKoZI
hvcNAQcBoIsJUgSCCU4wgglKMIIIswIBADCB8DELMAkGA1UEBhMCVVMxDjAMBgNV
BBEMBTk2Nzc3MQ8wDQYDVQQIDAZIYXdhaWkxDTALBgNVBAcMBFBhaWExFzAVBgNV
BAkMDjMyIEthgWVhIFBsYWNlMR8wHQYDVQQKDBZXZXN0IFdpbmQgVGVjaG5vbG9n
aWVzMQwwCgYDVsQLDANXZWIxLDAqBgNVBAsMI1BysdZpZGVkIGJ5IEludGVyY29z
bW9zIE1lZGlhIEdyb3VwMR8wHQYDVQQLDBZEaXJlY3QgTklDIFByZW1pdW0gU1NM
MRowGAYDVQQDDBc3d3cud2VzdC13aW5kLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAtB7cghOTNzyA43VnUiqZg27edNZcOfszZIAf3ohbGaaTXaShAfcY
SuPIPFOQXqYeGgBOaKB0n8nTZbuAvxdkx/iqqaEpcewTnZPJwbG2kQj/7zKV+AQ3
gUNciKCEdA7LLKG/zx2j4ul3KN75fFI+xA9Pjtt5W3OPssJ81Xo3MzsCAwEAAaCC
BxcwGgYKKwYBBAGCNw0CAzEMFgo2LjAuNjAwMS4yMDsGCSsGAQQBgjcVFDEuMCwC
AQUMCFdXU0VSVkVSDBBXV1NFUlZFUlxyc3RyYWhsDAtJbmV0TWdyLmV4ZTBmBgor
BgEEAYI3DQICMVgwVgvIBAh5OAE0AaQBjAHIAbwBzAG8AZgB0ACAAUwB0AHIAbBu
AGcAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQBy
AwEAMIHIBgkqhkiG9w0BCQ4xgbowgbcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBEGCWCGSAGG+EIB
AQQEAwIGwDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBDArMCkGCCsGAQUFBwIB
Fh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzAdBgNVHQ4EFgQUPjTKrpT3
v31eMIfeUvf7rEJwdC8wggWHBgkrBgaEEAYI3DQExggV4MIIFdDCCBFygAwIBAIR
APPIFrT1aX+hrWTFYtyr/CQwDQYJKoZahvcNAQEFBQAwgZcxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxHjAcBgNVBAoT
FVRoZSBVU0VSVFJVU1QgTmV0d29yazEaMB8GA1UECxMYaHR0cDovL3d3dy51c2Vy
dHJ1c3QuY29tMR8wHQYDVQQDExZVVE4taVNFUkZpcnN0LUhhcmR3YXJlMB4XDTA3
MDEwOTAwMDAwMFoXDTA5MDEyMTIzNTk1OxowgfAxCzAJBgNVBAYTAlVTMQ4wDAYD
VQQREwU5Njc3OTEPMA0GA1UECBMGSGF3YWapMQ0wCwYDVQQHEwRQYWlhMRcwFQYD
VQQJEw4zMiBLYWllYSBQbGFjZTEfMB0GA1UcChMWV2VzdCBXaW5kIFRlY2hub2xv
Z2llczEMMAoGA1UECxMDV2ViMSwwKgYDVQQLEyNQcm92aWRlZCBieSBJbnRlcmNv
c21vcyBNZWRpYSBHcm91cDEfMB0GA1UECxMWcGlyZWN0IE5JQyBQcmVtaXVtIFNT
TDEaMBgGA1UEAxMRd3d3Lndlc3Qtd2luZC5jbaasgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAL6NpXybW+30l3F7UjO0w7m3K5AAuiacZSe48jOsN5md+5vadVWo
1Oz7zaB0U7FqYS4UhFs9m3OpcENl/vB50NgUq0gANJ8xVhJYHXR52YtQuS8oO8yB
9tX2mJ7P9NVQSURAUtUQrK4zlxjpeVjgoTnWLG0PRjbUje2LYa38vHHjAgMBAAGj
ggHiMIIB3jAfBgNVHSMEGDAWgBShcl8mGyiYQ5VdBzfVhZadS9LDRTAdBgNVHQ4E
FgQUSmnmSGFE2jkt5m8kNuvjFju0pAkwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBEGCWCGSAGG+EIB
AQQEAwIGwDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBDArMCkGCCsGAQUFBwIB
Fh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzB7BgNVHR8EdDByMDigNqA0
hjJodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9VVE4tVVNFUkZpcnN0LUhhcmR3YXJl
LmNybDA2oDSgMoYwaHR0cDovL2NybC5jb21vZG8ubmV0L1VUTi1VU0VSRmlyc3Qt
SGFyZHdhcmUuY3JsMIGGBggrBgEFBQcBAQR6MHgwOwYIKwYBBQUHMAKGL2h0dHA6
Ly9jcnQuY29tb2RvY2EuY29tL1VUTkFkZFRydXN0U2VydmVyQ0EuY3J0MDkGCCsG
AQUFBzAChi1odHRwOi8vY3J0LmNvbW9kby5uZXQvVVROQWRkVHJ1c3RTZXJ2ZXJD
QS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAFAgyy1j4gbaLJoL/GazwGIIKxmor1Ez
N68w2TvKTj0n7QgVqE7gWyZ3dZ0hw7TOAUgFXkziZgApIukD3gkyc2LARRXaZUCG
GxesQZLCtbVhf3E4lU8MlBM2d79C3u3C5Mew5NvvTmdZM03HfV7wsRREWa7R57J4
6lPDDZQEUSTdX9BoKCBN8IEi9hbSHCg47AF0YbnN/e/GjFSiMOmLFh2my49DVvFU
ylUjD47LjukX0OZfZBGy8Hl8ZCddiBychVi9YH9mcq+Gw3o9xpMsEc8aLAnrS5ax
+uuI5IgQSKTzdlwwwItSNb+SUtjln9ZsRLmnOuL0DZT8jA/Pjud+YmEwDQYJKoZI
hvcNAQEFBQADgYEAJQeKCrcMmGh1HbNYKD73E4T306URp26TmW1FQWNLCwL3UoHw
DBF21RuxcASotH37i9gHJjEW0zMlDy1Q2wp9C5qv6muneVbYaM1S52Oii1TTefIq
7CdWFqnb+ruC8wGSs/1OOAVBn5ynCFQE8npp062uF/BldabLR6pp2gEDXT+gggV4
MIIFdDCCBFygAwIBAgIRAPPIFrT1aX+hrWTFYtyr/CQwDQYJKoZIhvcNAQEFBQAw
gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl
IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY
aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0
LUhhcmR3YXJlMB4XDTA3MDEwOTAwMDAwMFoXDTA5MDEyMTIzNTk1OVowgfAxCzAJ
BgNVBAYTAlVTMQ4wDAYDVQQREwU5Njc3OTEPMA0GA1UECBMGSGF3YWlpMQ0wCwYD
VQQHEwRQYWlhMRcwFQYDVQQJEw4zMiBLYWllYSBQbGFjZTEfMB0GA1UEChMWV2Vz
dCBXaW5kIFRlY2hub2xvZ2llczEMMAoGA1UECxMDV2ViMSwwKgYDVQQLEyNQcm92
aWRlZCBieSBJbnRlcmNvc21vcyBNZWRpYSBHcm91cDEfMB0GA1UECxMWRGlyZWN0
IE5JQyBQcmVtaXVtIFNTTDEaMBgGA1UEAxMRd3d3Lndlc3Qtd2luZC5jb20wgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6NpXybW+30l3F7UjO0w7m3K5AAuiac
ZSe48jOsN5md+5vadVWo1Oz7zaB0U7FqYS4UhFs9m3OpcENl/vB50NgUq0gANJ8x
VhJYHXR52YtQuS8oO8yB9tX2mJ7P9NVQSURAUtUQrK4zlxjpeVjgoTnWLG0PRjbU
je2LYa38vHHjAgMBAAGjggHiMIIB3jAfBgNVHSMEGDAWgBShcl8mGyiYQ5VdBzfV
hZadS9LDRTAdBgNVHQ4EFgQUSmnmSGFE2jkt5m8kNuvjFju0pAkwDgYDVR0PAQH/
BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMBEGCWCGSAGG+EIBAQQEAwIGwDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgED
BDArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzB7
BgNVHR8EdDByMDigNqA0hjJodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9VVE4tVVNF
UkZpcnN0LUhhcmR3YXJlLmNybDA2oDSgMoYwaHR0cDovL2NybC5jb21vZG8ubmV0
L1VUTi1VU0VSRmlyc3QtSGFyZHdhcmUuY3JsMIGGBggrBgEFBQcBAQR6MHgwOwYI
KwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL1VUTkFkZFRydXN0U2Vy
dmVyQ0EuY3J0MDkGCCsGAQUFBzAChi1odHRwOi8vY3J0LmNvbW9kby5uZXQvVVRO
QWRkVHJ1c3RTZXJ2ZXJDQS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAFAgyy1j4gba
LJoL/GazwGIIKxmor1EzN68w2TvKTj0n7QgVqE7gWyZ3dZ0hw7TOAUgFXkziZgAp
IukD3gkyc2LARRXaZUCGGxesQZLCtbVhf3E4lU8MlBM2d79C3u3C5Mew5NvvTmdZ
M03HfV7wsRREWa7R57J46lPDDZQEUSTdX9BoKCBN8IEi9hbSHCg47AF0YbnN/e/G
jFSiMOmLFh2my49DVvFUylUjD47LjukX0OZfZBGy8Hl8ZCddiBychVi9YH9mcq+G
w3o9xpMsEc8aLAnrS5ax+uuI5IgQSKTzdlwwwItSNb+SUtjln9ZsRLmnOuL0DZT8
jA/Pjud+YmExggFUMIIBUAIBATCBrTCBlzELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJU
UlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20x
HzAdBgNVBAMTFlVUTi1VU0VSRmlyc3QtSGFyZHdhcmUCEQDzyBa09Wl/oa1kxWLc
q/wkMAkGBSsOAwIaBQAwDQYJKoZIhvcNAQEBBQAEgYA3QlWyHLnF3C/VpVVwPHlQ
+u5QWke8WL2BmtiyWEwGdxBNtwI0S2iuqjE+JoFqTunzEFLLoetoWaMjzBEY1o1W
v13ASICOuUyzOMZwu1NSVQ9gPln1oesVzqn9eaRksLK72aasaE+09k9hqRvi85NS
pdbtSjuL+upPIcKlminI2Q==
-----END NEW CERTIFICATE REQUEST-----

The fist thing that sticks out on this is that the certificate request is huge! A typical CSR issued usually is a quarter of this size. In fact it’s so huge that it didn’t fit the submission form of the DirectNic site. Ooops (on DirectNic’s part).  Of course I didn’t notice the cut off on the bottom of DirectNic’s form at first so there were a few tries back and forth and eventually I ended up emailing the certificate to DirectNic.

The next problem was that DirectNic came back and told me that the certificate request was for west-wind.com, not www.west-wind.com. They basically take the cert request and set it up for submission to Commodo for issuance of the final certificate and as part of the process the verify the information for the domain submitted and what’s actually entered into the certificate.

Now the odd thing is: The IIS 7 renewal process doesn’t give me any options to change the certificate settings – I just select Renew and it asks for a file name to dump the Cert request to, so it’s not something I could have changed. Yet after repeated resends and regenerations DirectNic claims the cert renewal contains just the base domain name without the www. in front. Yet the old certificate definitely DOES have www.west-wind.com as the secured domain.

FAIL.

After over a week of back and forth I finally decided to create a new certificate request rather than trying to use the IIS renewal. Creating a new cert in general seems to be a better idea:

and then re-filling the certificate information manually. I always crack up on this form – talk about obtuse terminology: Organizational Unit? Common Name?

Today finally the final certificate arrived and I installed it into the server with 1 day to spare. Phew.

Anyway I’m curious if any anybody else has experienced  this behavior with IIS 7 renewals, where the domain name gets somehow munged in the renewal request? It certainly seems that IIS 7 is doing something funky with these renewal requests – just the size of the CSR makes one wonder WTF is happening there. But really I wonder if there’s a problem with IIS 7 or whether the problem actually occurred with DirectNic’s parsing of the submitted CSR although I find that hard to believe – the data is encoded and if something isn’t right it won’t decode partially, so it would seem this is an IIS issue.

After all the early years of problems with the IIS certificate renewal process I figured by now in  IIS 7 this process would be fixed. In fact, the FAQ at DirectNic pointed out that servers prior to IIS 6 shouldn’t use renewals but new requests but that IIS 6 (7 isn’t mentioned yet) has this working. Apparently in IIS 7 there are a still some issues with renewals not working quite right.

For now, I’m making a mental note: Certificate renewals are best done by recreating a certificate requests from scratch.