{"id":51,"date":"2016-01-18T20:13:52","date_gmt":"2016-01-18T20:13:52","guid":{"rendered":"http:\/\/www.pkipartner.support\/?page_id=51"},"modified":"2016-01-19T09:50:51","modified_gmt":"2016-01-19T09:50:51","slug":"faq-how-to-increase-your-csr-key-size-on-microsoft-iis-5-or-iis-6-without-removing-the-production-certificate","status":"publish","type":"page","link":"https:\/\/pkipartner.com\/support\/faq-how-to-increase-your-csr-key-size-on-microsoft-iis-5-or-iis-6-without-removing-the-production-certificate\/","title":{"rendered":"SSL – How to increase your CSR key size on Microsoft IIS 5 or IIS 6 without removing the production certificate?"},"content":{"rendered":"

How to increase your CSR key size on Microsoft IIS 5 or IIS 6 without removing the production certificate?<\/h1>\n

Resolution<\/h3>\n

In line with industry good practice, Comodo requires that all types of SSL certificates are created
\nwith a CSR that has a key size of 2048-bits or greater. This requires care in Microsoft IIS when
\nrenewing a certificate that has a key size of 1024-bits.<\/p>\n

When renewing an already existing certificate, Microsoft IIS will retain all of the details of the
\ncurrently installed certificate. This includes the key size which may be set to 1024-bits. In order
\nto get the option to change the key size in IIS, you must remove the certificate which has the
\neffect of taking down your website on port 443 (https:\/\/).<\/p>\n

This article describes an alternate method to increase the key size of your certificate without any
\ndowntime to your website by creating a temporary website.<\/p>\n

Creating a Temporary Website<\/h3>\n

We will create a temporary website that will, at this end of the process, have a status of
\nStopped<\/strong>. Creating this website and having it stopped in IIS poses no security risks and will not
\naffect your other websites.<\/p>\n

    \n
  1. Open up IIS. This can be found in the Administrative Tools<\/strong> in Control Panel.<\/li>\n
  2. In the Internet Information Services (IIS)<\/strong> Manager window, right-click on the Web<\/strong>
    \n Sites<\/strong> folder and select New<\/strong> and Web Sites<\/strong> from the drop down menu.<\/li>\n
  3. The Web Site Creation Wizard willl appear<\/strong>. In that new window, click on Next<\/strong>.<\/li>\n
  4. On the next screen, type in “Temporary” into the Description field<\/strong>. Once you have done
    \nthat, click on Next<\/strong>.<\/li>\n
  5. At the IP Address and Port Settings screen<\/strong>, leave the defaults and click on the Next<\/strong>
    \nbutton.<\/li>\n
  6. In the Web Site Home Directory screen<\/strong>, click on the Browse<\/strong> folder and navigate to the
    \nInetpub<\/strong> folder (or a folder of your choosing). Once selected, click on the Next button<\/strong>.<\/li>\n
  7. The next screen shows the Web Site Access Permissions<\/strong>. Uncheck all of the boxes
    \nand click on Next<\/strong>.<\/li>\n
  8. At the final screen click on the Finish button<\/strong>.<\/li>\n<\/ol>\n

    Back in the Internet Information Services (IIS) Manager window<\/strong>, right click on the
    \nTemporary<\/strong> website and select Stop<\/strong> from the drop down menu.<\/p>\n

    Creating a CSR for Temporary<\/h3>\n

    Here follows the process for creating a CSR as you would for a normal certificate on the new
    \nTemporary website that you created in the section above. If you are familiar with this process,
    \nyou can skip to next section.<\/p>\n

      \n
    1. Open up IIS. This can be found in the Administrative Tools<\/strong> in Control Panel<\/strong>.<\/li>\n
    2. Right-click on the temporary website and click on Properties<\/strong> from the drop down menu.<\/li>\n
    3. A new window will appear. In that new window, click on the Directory Security tab<\/strong> at
      \nthe top.
      \nIn the same window, you will see three sections. The bottom section named Secure<\/strong>
      \n communications<\/strong> has three buttons.<\/li>\n
    4. Click on the Server Certificate<\/strong>… button.\u00a0The IIS Certificate Wizard appears.<\/li>\n
    5. Select the circle, Create a new certificate<\/strong>. and click on Next<\/strong>.<\/li>\n
    6. On the next step on the Wizard, select the circle, Prepare the request now, but send<\/strong>
      \n it later<\/strong> and click on Next<\/strong>.<\/li>\n
    7. At the next step in the Wizard, enter in a Name for your certificate. In the field where
      \nyou see Bit length<\/strong>: select 2048 from the drop down. Leaving the other two check boxes
      \nunchecked, select Next<\/strong>.<\/li>\n
    8. On the next screen, enter in the full legal name of the company which the certificate
      \nbelongs into the Organization<\/strong> field. In the Organizational unit field<\/strong>, enter in the
      \ndepartment of the organization, such as ‘IT’ or “Marketing”. Click on Next<\/strong>.<\/li>\n
    9. At the next screen, you will need to enter in your FQDN (fully qualified domain name) of
      \nyour website in the field named Common name<\/strong>. It looks like “secure.example.com” or
      \n“example.com”. Click on Next<\/strong>.<\/li>\n
    10. On the next screen, you will need to select the country of your organization from the
      \nCountry\/Region<\/strong> drop down. You will then need to type in the State\/province<\/strong> of that
      \ncountry along with city within that state within the City\/locality<\/strong> field. Once you have
      \ndone that, click on Next.<\/li>\n
    11. At the next step of the Wizard, you will need to specify where to save the CSR text file
      \nthat will be created. To change the location, you should click on the Browse<\/strong>… button.
      \nAfter you have selected a location, click on the Next<\/strong> button.<\/li>\n
    12. At the final screen, you will see a summary of all the certificate details that you have
      \ncreated. Click on Next<\/strong> to generate the CSR file.
      \nNote<\/strong>: When you have generated a CSR file, you will have a pending request held for this website. If this pending request is deleted before a certificate response can be installed, the set of private keys that were created will be deleted as well. This will render the CSR file and the certificate response useless, including during installation.<\/li>\n
    13. Open the newly created CSR file using notepad. Select all the contents, copy and then paste into the ordering site at www.pkipartner.com.<\/li>\n<\/ol>\n

      Installing the certificate onto Temporary<\/h3>\n
        \n
      1. Open up IIS. This can be found in the Administrative Tools<\/strong> in Control Panel<\/strong>.<\/li>\n
      2. Right-click on the Temporary website and click on Properties<\/strong> from the drop down menu.<\/li>\n
      3. A new window will appear. In that new window, click on the Directory Security<\/strong> tab at
        \nthe top. In the same window, you will see three sections. The bottom section named\u00a0Secure communications<\/strong>\u00a0has three buttons.<\/li>\n
      4. Click on the Server Certificate<\/strong>… button.<\/li>\n
      5. A wizard appears. Click on Next<\/strong>.<\/li>\n
      6. On the next screen, select the option, Process the pending request and install the\u00a0certificate<\/strong>. Click on Next<\/strong>.
        \nNote<\/strong>: If you do not see this option, this could mean that the CSR may have been\u00a0deleted. If this is the case, then the certificate file is cannot be used.<\/li>\n
      7. At the next step of the wizard, you must click on browse and navigate to the .crt that was
        \nsupplied to you by PKI Partner.
        \nNote<\/strong>: By default, the IIS Certificate Wizard looks for files with the extension of .cer. In\u00a0order for it to accept the .crt file, you will need to drop the File of type: field down to look\u00a0for All files and the .crt file should appear. Once you can see it, select it.<\/li>\n
      8. Click on Next<\/strong>.<\/li>\n
      9. On the next screen, leave the default to port 443<\/strong>. Click on Next<\/strong>.<\/li>\n
      10. You should now see a summary screen. When you have finished looking at the summary,
        \nyou should click on Next<\/strong>.<\/li>\n
      11. At the final screen, click on Finish<\/strong>.<\/li>\n<\/ol>\n

        Assigning the Stronger Certificate<\/h3>\n
          \n
        1. In IIS, right-click on the production website that has the 1024-bit certificate installed and\u00a0then click on Properties<\/strong> from the drop down menu.<\/li>\n
        2. A new window will appear. In that new window, click on the Directory Security<\/strong> tab at
          \nthe top. In the same window, you will see three sections. The bottom section named
          \nSecure communications<\/strong> has three buttons.<\/li>\n
        3. Click on the Server Certificate<\/strong>… button.<\/li>\n
        4. A wizard appears. Click on Next<\/strong>.<\/li>\n
        5. On the next screen, select the option, Replace the current certificate<\/strong>. Click on Next<\/strong>.
          \nImportant Note<\/strong>: If you do not receive this option, it may be possible that you have an\u00a0already pending request for this website. In order to have the Replace the current\u00a0certificate option available, you will need to delete the pending request on this website.<\/li>\n
        6. You should see a list of certificates which contains the certificate you have installed on the\u00a0Temporary website. Select the newly installed certificate that contains a key size of\u00a02048-bits from this list. Once selected, click on Next<\/strong>.<\/li>\n
        7. IIS will display the new replacement certificate’s details. Verify these details and then
          \nclick on Next<\/strong>.<\/li>\n
        8. Click on the Finish button<\/strong> on the next screen.<\/li>\n
        9. Back in the Properties window, click on the OK button<\/strong>. The certificate on your website\u00a0has been updated with the stronger 2048-bit certificate with no downtime.<\/li>\n
        10. The final step of this article is to delete the Temporary website that you created in the\u00a0beginning. To do this, right-click the Temporary website from IIS and select Delete<\/strong> from\u00a0the drop down menu. Click on Yes<\/strong> at the, “Are you sure you want to delete this item?”<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"

          How to increase your CSR key size on Microsoft IIS 5 or IIS 6 without removing the production certificate? Resolution In line with industry good practice, Comodo requires that all types of SSL certificates are created with a CSR that has a key size of 2048-bits or greater. This requires\u2026<\/p>\n

          Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/pages\/51"}],"collection":[{"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/comments?post=51"}],"version-history":[{"count":5,"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/pages\/51\/revisions"}],"predecessor-version":[{"id":133,"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/pages\/51\/revisions\/133"}],"wp:attachment":[{"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/media?parent=51"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}