Certificate Renewals in IIS 7

Thursday, May 28, 2009

Certificate renewals have changed from IIS 6 to IIS 7. Specifically, IIS 7 generates a different type of certificate renewal.

The way it was…
IIS 6 creates a PKCS #10 type of renewal. This is essentially just a new request with the information contained within the existing certificate. When the renewed certificate comes back from the certificate authority, users will have two certificates only differing by expiration dates; other than that, the certificates are exactly the same.

The new way…
In IIS 7, certificate renewal requests are now PKCS #7 requests. This type of renewal is a combination of request and certificate rolled into one. The advantage of the PKCS #7 renewal is when you receive a response from the certificate authority the original certificate is replaced with the new one. This makes certificate management much easier.

How do I get the old behavior?
To get the original behavior for requesting a certificate renewal, users can use the Certificates MMC snap-in. This will give you a far wider range of renewal options and types to chose from.

No Comments