Renewing a HTTPS certificate for IIS without starting a renewal request

It seems the usual procedure for renewing HTTPS certificates for IIS is starting a renewal request, sending it to de CA (Verisign, for example), wait for a file in the reply and import it inside your IIS.

But, what can we do if we have the renewal certificate with a former CSR? You get an e-mail with a part like this:

-----BEGIN CERTIFICATE-----
AoGBAOv4w3UeEEarsyIXsBL1zdBi67fC7jFiqhbs0f7/tDRuvnQvj5V7NF7Awhah
9K3J9fPkOPMfTBMmQCFVTLAlUxioh1jLEZOWDPvrB8h7msO5gM1MpufOh4NRS79J
LvyOKdDtXGfYdVRj/TNpNTFu10wLO2y9o8HAkRUlkCDb/xS3AgMBAAGjggF6MIIB
djAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBGBgNVHR8EPzA9MDugOaA3hjVodHRw
Oi8vY3JsLnZlcmlzaWduLmNvbS9DbGFzczNJbnRlcm5hdGlvbmFsU2VydmVyLmNy
f4&dBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBz
(...)
-----END CERTIFICATE-----

How can we import this inside our IIS? We should follow this steps:

First we export the current certifical. In order to do this, we should go to site properties, tab “Directory Security”:

We start the wizard clicking on “Server Certificate” and go to next screen:

We click on “Next” and go to the next screen:

Where we will choose “Export the current certificate to a .pfx file”. After that, we will be asked where to put it:

And a password for the export. This way we have our certificate exported.

If we look inside the file, we will see it is binary. To convert it to the same format we received on the email, we can use openssl, with this command:

openssl pkcs12 -in cert.pfx -out cert.pem

It will ask us for the password we’ve put before, and will ask for another password to put to the .pem resulting file.
If we edit this file with any text editor, we will see it contains a “certificate” part, delimited by “BEGIN CERTIFICATE” and “END CERTIFICATE” clauses, exactly the same as the part we got on the email. We just should change the former certificate text with the new one. Once we have done this, we can put it again to binary, “understandable” by IIS. In order to do this, we use again openssl:

openssl pkcs12 -export -in cert.pem -out cert-new.pfx

It will ask us for the .pem password, and another password to put to the resulting .pfx. Now, to put it in the IIS site, first we shoult take out the former certificate. In “Directory Security” tab we should start the wizard again, but this time we will choose “Remove the current certificate”:

Clicking “next next” we will take out former certificate:

Now we should import the new certificate. In the wizard we will see a new option: “Import certificate from a .pfx file”:

It will ask us for the file to import, and we should choose cert-new.pfx. It will ask us for the password, the port to listen (usually we will use the default 443) and finally we will have the certificate imported:

If we look at certificate properties, we will see expiration date has changed. We have the certificate renewed!

Tomàs

Tomàs

I'll make something up