This article is a follow-up to Replacing a Certificate in IIS without Downtime; I realized that it is probably non-obvious how one would acquire the signed certificate in the first place.
You can go read the intro to the first article for the long explanation. In short, IIS makes it completely impossible to generate a new certificate request for a site without taking that site offline. So we're going to cheat and use OpenSSL.
OpenSSL comes with just about every Linux distribution, so if you have a Linux machine handy, you can use it to perform all of these steps. Otherwise, go get Cygwin and install it along with its OpenSSL package.
Since we're going to use a new certificate/key, we need to generate a new CSR. OpenSSL can do this, but it's ugly. I created a shell script, vhost-ssl-request.sh, to do it:
#!/bin/bash
NUM_BITS=4096
VHOST=$1
TODAY=`date +"%Y-%m-%d"`
KEY=${VHOST}.key
CSR=${VHOST}-${TODAY}.csr
if [ $# -lt 1 ]; then
echo "Usage: $0 <vhost>"
echo "Where vhost corresponds to the virtual hostname, e.g. www.example.com."
echo "In terms of the CSR created, this will be the 'common name'."
exit
fi
if [ -f $KEY ]; then
echo "Key file $KEY already exists. Bailing."
exit
fi
if [ -f $CSR ]; then
echo "CSR file $CSR already exists. Bailing."
exit
fi
openssl genrsa -out ${KEY}
openssl req -new -key ${KEY} -out
Note the default NUM_BITS=4096. Change it if you care. Run the thing, and pass it the name of your site (i.e. the certificate's common name).
./vhost-ssl-request www.example.com
This will output two files in the current directory, www.example.com.key, your private key, and www.example.com-<date>.csr, the certificate signing request.
You've got the CSR; just send it off to whomever is going to sign it. Generally, once they have verified that you own the common name in question, you will receive a certificate file back. Let's call it www.example.com.crt.
Now, IIS won't import a certificate/key pair as separate files, because it's a fucker. So before we import the pair, we need to convert it to PKCS12 format (a pfx file). OpenSSL can do this, but first, let's combine the certificate/key pair into one pem file.
cat www.example.com.key www.example.com.crt > www.example.com.pem
Now, convert the pem file to pfx, with which IIS and Windows are in love:
openssl pkcs12 -in www.example.com.pem -export -out www.example.com.pfx
You will be prompted for a password. Enter something short and memorable—we're going to use it once in about 10 seconds, and then never need it again.
We're almost done. The rest of the steps follow the previous article, beginning at Importing the New Certificate/Key Pair.