michael orlitzky

Replacing a certificate in IIS without downtime

Note: if you don't already have a signed certificate and would simply like to replace an existing certificate, see New Certificates in IIS Without Downtime, and then jump to Importing the New Certificate/Key Pair.

What We Would Like to Do

There are essentially two parts to an SSL certificate: the certificate (public key), and a private key (which you keep to yourself). Usually, one sends off the certificate half of this pair to be signed by some unscrupulous third party, known as a certificate authority. In most cases, that's the end of the process. However, there are some cases where the certificate authority needs to re-sign an existing certificate.

It would be nice if we could do this without having to delete the old certificate, create a new CSR, submit it for approval, answer some emails, await confirmation, download the new certificate, and install it. Because on Windows, your site is down while all of that is happening.

What's Wrong with IIS

IIS goes out of its way to make this use case impossible. The SSL request procedure through IIS looks something like the following:

  1. You choose Create New Certificate or whatever it's called through the IIS interface. This generates the certificate/key pair, and stores them somewhere magic so that you can't do anything useful with them. You also get a CSR, which you can submit to a CA to verify certain personal information about yourself such as that you have paid them money.

  2. Once the certificate is signed, you get (only) the signed certificate back from the CA.

  3. Through the same interface as before, you tell IIS to go ahead and import the thing. But here's the catch: at this point, you can only import the certificate that matches the previously generated certificate/key pair.

Once the certificate is installed, all the useful options in the IIS interface go away. You are left with like, five different options which all essentially mean “take my site offline for a while.”

To be fair, there is an option to “replace the current certificate.” However, you can only replace your current certificate/key pair with a different certificate/key pair, and that pair must already be installed. And you can't install a new certificate/key pair, because you can't create one without taking your site offline.

So basically,

That Sucks

Yes, it does. Fortunately, if you have a Linux machine handy, or you have a copy of Cygwin on the Windows box, you can use OpenSSL to pry your current key out of IIS, and combine it with the new certificate.

Here's the basic procedure.

Export the Current Certificate/Key Pair from IIS

We need to get the current cert/key out of IIS while the site is still running. To do this, we use the Certificates snap-in of the Microsoft Management Console.

  1. Choose Start→Run from the menu.

  2. Enter mmc.exe, and hit OK.

  3. Choose File→Add/Remove Snap-in from the menu.

  4. Choose Add, then Certificates, Computer Account, and finally, Local Computer.

  5. Get out of the Add/Remove Snap-in dialog, and browse to the Personal certificates entry in the tree.

  6. Right click the certificate/key you'd like to export, and choose All Tasks→Export from the menu.

  7. Yes, export the private key. Next. Next. Enter a password, and write it down. Next. Pick a filename. Ok.

Obtain the Private Key from the PFX File

From now on, I'll assume you've exported your certificate/key pair as site-current.pfx. Open up Cygwin, or copy the PFX file to your Linux box. Find it, and do the following:

user $ openssl pkcs12 -in site-current.pfx -out site-current.pem -nodes

This will decrypt the PFX file (it will prompt you for the password you just entered), and then write out the certificate/key pair in plain text as site-current.pem.

Combine the New Certificate with the Old Key

Did I mention you should have the new certificate handy? Well you should, as site-new.crt.

Open site-current.pem in a text editor. You should see a block delimited by -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Now, open your new certificate, site-new.crt, in a text editor as well. You should see another BEGIN/END certificate block. Replace the block in site-current.pem with the one from site-new.crt. Save the result as site-new.pem.

Were you paying attention? We just replaced the old certificate in the PEM file with the new certificate, from the CRT file. Then we saved the result in a new file.

Now, we have to,

Get Everything Back in PKCS12 Format

Now that site-new.pem contains your key and the new certificate, we need to convert it back in to a format that Windows understands.

user $ openssl pkcs12 -export -in site-new.pem -out site-new.p12

Will again prompt you for a password. Enter one, and write it down. You'll need it in a second. This command takes the PEM file, and converts it to a PKCS12 file (which Windows understands), called site-new.p12.

Importing the New Certificate/Key Pair

Hopefully you didn't close the mmc.exe window. If you did, go follow those directions again. Once you have the Personal certificates up again, right click (somewhere empty) in the list of certificates. There should be an option to import a PKCS12 certificate.

Import the certificate/key, and do so without a password. IIS can't enter the password for you every time it starts.

Replace the Certificate in IIS

With the new certificate/key pair stored, you can finally replace the existing certificate in IIS. Find that interface, and choose Replace the Existing Certificate. Hopefully, the one you just imported is in the list. Beware, though, that the expiration date and common name will be the same as they were previously. Don't pick the wrong one.

Clean Up

Delete any of the intermediate files we just created. Anything containing your private key is sensitive, and should only be visible to the administrator.