When dealing with expiring SSL certificates in IIS 7.0, administrators often face a critical choice between renewal and fresh installation. The key consideration is maintaining service continuity while transitioning between certificate authorities (CAs).
The IIS management console provides two primary paths:
1. "Renew Certificate" option
2. "Create Certificate Request" (new CSR)Important technical distinction: The "Renew" option typically generates a CSR that maintains the existing key pair, while creating a new request generates fresh cryptographic material.
Here's how to generate a new CSR without removing the current certificate:
1. Open IIS Manager
2. Select server node
3. Open Server Certificates feature
4. Choose "Create Certificate Request" from right pane
5. Complete the CSR wizard (preserve existing certificate)When your new certificate arrives from the alternate vendor:
// PowerShell alternative for certificate installation
Import-Module WebAdministration
$certPath = "C:\new_cert.cer"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($certPath)
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("WebHosting","LocalMachine")
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()To minimize downtime during the transition:
- Generate CSR while old certificate remains active
- Install new certificate before expiration
- Update IIS bindings during low-traffic periods
Changing certificate vendors doesn't inherently cause technical issues, but consider:
- Root certificate chain differences
- Potential OCSP/CRL distribution point variations
- Client-side trust store compatibility
For repeatable certificate management:
# Sample renewal check script
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*yourdomain.com*"}
if ($cert.NotAfter -lt (Get-Date).AddDays(30)) {
Write-Host "Certificate expires soon: $($cert.NotAfter)"
# Trigger renewal workflow
}For your specific scenario with Windows Server 2003/IIS 7.0:
- Generate new CSR via "Create Certificate Request"
- Submit to new vendor while keeping current cert active
- Install new cert alongside old one
- Update bindings during maintenance window
- Remove expired certificate afterward
When your SSL certificate is nearing expiration on IIS 7.0 (Windows Server 2003), you essentially have three paths:
- Renew with current CA (typically preserves key pair)
- Create new CSR with same key pair
- Generate completely new key pair and CSR
Here's what happens at the protocol level for each option:
// Sample OpenSSL commands to inspect key continuity openssl x509 -in old.crt -noout -pubkey openssl x509 -in new.crt -noout -pubkey // Compare output to verify key continuity
To minimize downtime when changing certificate authorities:
1. Generate new CSR while keeping old cert: certreq -new -q -f "C:\path\to\request.inf" "C:\newrequest.csr" 2. Submit CSR to new CA 3. When new cert arrives: certreq -accept -q "C:\newcert.cer" 4. Verify binding in IIS: appcmd list ssl /certhash:[thumbprint]
For zero-downtime transitions, consider these IIS binding techniques:
netsh http add sslcert ipport=0.0.0.0:443
certhash=[NEW_THUMBPRINT] appid={[GUID]} certstorename=MY
netsh http delete sslcert ipport=0.0.0.0:443
Watch for these specific IIS 7.0 quirks:
- SCHANNEL errors in System log when private keys mismatch
- HTTP.SYS binding conflicts during transition period
- SNI considerations if hosting multiple sites
For large-scale deployments, consider this PowerShell snippet:
# Certificate renewal automation script
$newCert = Get-ChildItem Cert:\LocalMachine\My |
Where-Object {$_.Subject -match "yourdomain.com" -and $_.NotAfter -gt (Get-Date)}
if ($newCert) {
$binding = Get-WebBinding -Name "Default Web Site" -Protocol "https"
$binding.AddSslCertificate($newCert.GetCertHashString(), "My")
}