IIS7+: Renewing a SSL Certificate

When renewing a SSL certificate in IIS7 or newer, the format of the generated request file was changed. (Internet Information Services (IIS) Manager -> Your Server -> Server Certificates -> Select the certificate to renew and chose renew from the righthand/context menue). In the past, the CSR was sent as PKCS#10. With the new format, there is a PKCS#7 container holding the PKCS#10 request and additional information (the actual CSR part gets signed with your old cert). Unfortunately, not all CA's support this CSR format (giving for example errors about invalid encoding). In that case, you can use the certutil command line tool to extract the PKCS#10 CSR part (DER) and encode it in Base64 with the following commands:

certutil -split c:\temp\yourrenewrequestfile.txt
certutil -encode c:\temp\blob0_1.p10 c:\temp\youroutputCSRfortheCA.csr

where the first command extracts the objects from the PKCS#7 container and the second command encodes the CSR part (blob0_1.p10) in Base64. This CSR is accepted by most CA's.

Keep in mind that as of 2014, certificates have to have more than 1024 bit key length, so the renew might still be invalid and you still have to generate a new request. Most CA's offer tools to check your request (for Symantec it is for example https://ssltools.websecurity.symantec.com/checker/views/csrCheck.jsp )