How to Properly Replace an Expired SSL Certificate in IIS6 Without Service Disruption


2 views

When dealing with non-resignable certificates in IIS6 (common with Thawte and other CAs), the replacement process differs from standard renewal. The key challenge is maintaining service continuity while transitioning to a new certificate.

Here's the safe workflow to avoid service interruption:

1. Generate new CSR while old certificate remains active:
   - Open IIS Manager
   - Right-click website → Properties → Directory Security
   - Click "Server Certificate" under Secure Communications
   - Choose "Create new certificate" (not Renew)
   - Complete the CSR wizard

Once you receive the new certificate from Thawte:

1. Open IIS Manager
2. Navigate to website properties → Directory Security
3. Click "Server Certificate"
4. Select "Process the pending request"
5. Browse to the new certificate file
6. Complete the installation wizard

Important technical details about the transition:

  • The old certificate remains valid until its expiration date
  • Clients will automatically negotiate with the new certificate
  • No service gap occurs if both certificates are technically valid during transition

After installation, verify with OpenSSL:

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com | openssl x509 -noout -dates

Frequent issues during IIS6 certificate replacement:

- Certificate binding conflicts (solution: netsh http show sslcert)
- Intermediate certificate chain issues (solution: mmc → Certificates snap-in)
- SSL port conflicts (solution: netstat -ano | findstr 443)

When dealing with non-resignable certificates in IIS6 (like Thawte's case), the standard renewal process won't work. The key insight here is that certificate replacement differs fundamentally from renewal in Windows Server 2003's IIS implementation.

Before removing the old certificate, generate your new CSR first. Here's the PowerShell command to create a backup of your current certificate:

$cert = Get-ChildItem -Path cert:\LocalMachine\My -DnsName "yourdomain.com"
Export-Certificate -Cert $cert -FilePath C:\backup\old_cert.cer -Type CERT

Follow this specific sequence to avoid service disruption:

  1. Generate new CSR via IIS Manager (right-click website > Properties > Directory Security > Server Certificate)
  2. Submit CSR to CA (Thawte in this case)
  3. Keep old certificate installed until new one is ready

For automation purposes, here's how to install the new certificate via command line:

certreq -accept -machine your_new_cert.cer

Then bind it to your website using:

cscript.exe adsutil.vbs set /w3svc/1/SecureBindings ":443:yourdomain.com"

Use this OpenSSL command to confirm both certificates are valid during overlap period:

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -showcerts

The most frequent issues during replacement include:

  • Certificate chain incompleteness (fix by installing intermediate CAs)
  • Mismatched private keys (always verify thumbprint matching)
  • Binding conflicts (check with netsh http show sslcert)

After successful replacement:

  1. Test all SSL-dependent services
  2. Update certificate in load balancers if applicable
  3. Schedule next replacement reminder (90 days before expiry)