Re: SSL CSR questions

Inline...

"Mel K." <Mel.K@xxxxxxxxxxx> wrote in message news:ep3uy8cdJHA.3488@xxxxxxxxxxxxxxxxxxxxxxx
Hello:



From what I understand, once the SSL cert is issued, you must install it on the specific IIS server that generated the CSR. That is because the private key associated with the CSR is stored on the specific IIS server. But if necessary, can't you export the private key used to generate the CSR and then import it into another IIS server?

There are only native mechanisms to export "certificates" not "keys". This is why the issued certificate must be installed at the original server where the request was generated (and the public key of the key pair was placed in the CSR file).



Let's say I generated the CSR on IIS-01 and before I received the SSL cert back, IIS-01 started having some hardware problems and I decided to move all my sites to IIS-02. Can't I export the private key from IIS-01 and then import it into IIS-02? Then after I receive the SSL cert, I'd be able to import it into IIS-02. Does this make sense?

Yes, if there was a mechanism to move the key pairs (which there is not).



Regarding SSL cert renewals, is it correct that if I don't have the private key that was used to generate the original CSR, I can't perform a renewal? So in that case I'd have to generate a new CSR and request a new SSL cert, correct? If I'm running a small e-commerce site, would there be any major issue with getting a new SSL cert versus renewing an existing SSL cert?


You need the original certificate, not the private key. The private key of the associated certificate is used to sign the request. The signature is based on the certificate though, not the private key. If the certificate is expired, then you cannot renew as the certificate associated with the private key is no longer time valid. As you have stated, you would simply have to request a new SSL certificate. The only difference in effort is that you do not provide a subject name in a certificate renewal, as the subject is set based on the subject of the previous certificate used to sign the request.

--
Thank you,
Mel K.
MCSA: M



.

Relevant Pages

  • Strange SSL problems
    ... I recently generated a CSR for a customer. ... I could view the certificate and it looked good from within IIS. ... The screen said that there was a private key present. ... I can always generate the CSR and install the certificate on another system ...
    (microsoft.public.inetserver.iis.security)
  • Re: SSL CSR questions
    ... As thawte states in one of their articles, the CSR is basically the public key that matches the private key. ... This allows the CA that issues the certificate to validate the signature on the CSR by using the embedded private key. ... From what I understand, once the SSL cert is issued, you must install it on the specific IIS server that generated the CSR. ...
    (microsoft.public.windows.server.security)
  • Re: SSL CSR questions
    ... A private key is generated with the CSR. ... the CA sends you the SSL cert. ... You need the original certificate, ...
    (microsoft.public.windows.server.security)
  • SSL Certificate on TS, "Private Key"??
    ... I gotta find a way to create a CSR on the TS to submit .... ... I'm using a GoDaddy SSL Certificate. ... It looks like the certificate does not have a corresponding private key. ... Select "Local Computer" if you are running the MMC snapin at the server. ...
    (microsoft.public.windows.terminal_services)
  • RE: SIMple SSL question ??
    ... I believe your book is instructing you to keep the private key secure. ... you use the certificate request wizard in IIS to install the cert after it's ... the certificate that's just been installed. ... If an attacker retrievs the SSL certificate, ...
    (microsoft.public.dotnet.security)