Change the SSL certificate from 1024 to 2048 bit encryption on IIS 6.0

Scenario:
Administrator wants to change the SSL certificate from 1024 to 2048 bit encryption, on IIS 6 for Web TimeSheet website.

Note:
In IIS 6.0, it is not possible to change the SSL certificate encryption from 1024 to 2048 bit encryption. In this situation, a new website needs to be created and a new certificate should be created and then the new certificate would be replacing the existing one.

Resolution:
To change the SSL certificate encryption from 1024 to 2048 bit, follow the steps given below:

Step 1:
Create a new Web Site in IIS 6.0.

Steps to create a new web site:

  • Click Start, select Administrative Tools and then select Internet Information Services (IIS) Manager.
  • In the IIS Manager, expand server (local computer) and locate Web Sites.
  • Right Click on Web Sites, click New and select Web Site.
  • This would bring up the New Web Site Wizard.
  • Type a description for the site and then, click Next.
  • Enter the IP Address which the site would use and also the port number and then click Next.
  • Then browse to enter the path for the home directory. In this case since this site is only required to create the server certificate the path should be: C:\inetpub\wwwroot
  • Give the required permission to the website and then click follow the on screen instruction to create the web site.

Step 2:
Prepare a Certificate Signing Request (CSR)

Regardless of the SSL vendor the company uses, the first step in the process is to create a Certificate Signing Request — or CSR — that will be sent to the SSL vendor. The CSR is a Base-64 encoded PKCS#10 message that contains all of the information necessary to identify the person or company applying for the certificate. The request also includes the applicant’s public key.
The public key is the public (or, non-private) portion of a combined public key/private key structure that, together, is able to effectively and securely encrypt information.

To create the certificate follow the steps given below:

  • Click Start, select Administrative Tools and then select Internet Information Services (IIS) Manager.
  • In the IIS Manager, expand server (local computer) and locate Web Sites.
  • Right-click on the newly created Web site and choose Properties.

       

  • From the Properties window, select the Directory Security tab.
  • Click the tab labeled Server Certificate to start the Web Server Certificate Wizard.

       

  • Click the Server Certificate button to begin the process.
  • The first screen of the wizard asks us to select from a number of options. In this case, we want to Create a new certificate.

      

  • Next, choose the option to Prepare the request now, but send it later.
  • Type the name of the new certificate and in the Bit Length change it to 2048 and click Next.
  • Then select the Organization and the Organizational Unit. The Organization would depict the Common Name and the Organization Unit would be the OU for the Certificate. After providing the information click Next.
  • Type the common name of the website for which the certificate needs to be changed to 2048 bit and click Next.

Note:
However, make sure that if the name of the Web Site changes then a new certificate would be required.
Then enter the Geographical Information and click Next.
Then it would bring up the file name for the certificate request. By default the location would be C:\certreq.txt. Click Next
The last screen would bring the Request File Summary.  After reviewing the information, click Next and the click Finish to Complete the Certificate Wizard.

Step 3:
Request a certificate from a certificate vendor.

Once the cert file is created, the information needs to processed. At this point the administrator would be required to open up the text file that contains the certificate request in order to copy and paste the encrypted certificate request in the appropriate field on the order form.

Once the administrator complete's the vendor’s certificate request form and provide them with payment, he would receive the SSL certificate via email.

Step 4:
Save the provided certificate somewhere accessible.

Once the SSL certificate is received save this file to a location accessible from your Web server. However, make sure that it has a .cer extension.

Step 5:
Install the certificate:
After making sure that the Web server can access the certificate file, the administrator needs to install the new certificate by completing the certificate process started back in Step 2.
To install the certificate follow the steps given below:

  • Click Start, select Administrative Tools and then select Internet Information Services (IIS) Manager.
  • In the IIS Manager, expand server (local computer) and locate Web Sites.
  • Right-click the Web site on which the administrator wants to install the received certificate and, from the shortcut menu, choose Properties.
  • From the Properties window, select the Directory Security tab.
  • Click the Server Certificate button.
  • From the first wizard screen, choose Process the pending request and install the certificate.

       

  • Provide the path to and the file name of the certificate file that was saved in Step 4.

      

  • Provide the port number for the SSL Certificate and by default it is 443.

       

  • The summary screen will display the information found in the certificate.

       

Step 6:
Install necessary intermediate certificates.

Note:
Not all SSL certificate vendors are created equal. In order to be fully trusted, any certificate you obtain needs to eventually link to a root certificate that is trusted by your Web browser. However, not all vendor’s SSL certificates are natively trusted by root certificates. As such, with these vendors, the administrator needs to complete the SSL trust chain by, in addition to installing the SSL certificate, installing an intermediate certificate between a root certificate and your new SSL certificate.
If the administrator skips this step, users will continue to get certificate errors until this trust chain is established. The use of an intermediate SSL certificate requires a slight bit of additional network communication at the initial establishment of an SSL-secure session but beyond that, there is no performance penalty.

To install the intermediate certificate follow the steps given below:

  • Choose Start and select Run.
  • In the Run field type mmc. This starts the Microsoft Management Console (MMC).
  • From the Management Console, select File and the select Add/Remove Snap In.
  • In the Add/Remove Snap-In window, click the Add button.
  • In the Add Standalone Snap-in window, select Certificates
  • Click the Add button.
  • Choose Computer Account and click Next.
  • Make sure the Local computer option is selected and click Finish.
  • Close the Add Standalone Snap-in window.
  • Click the OK button in the Add/Remove Snap-in dialog to return to the MMC window.
  • Expand the Certificates option (click the + icon) until you see Intermediate Certification Authorities.
  • Right-click on Intermediate Certification Authorities and, from the shortcut menu, choose All Tasks and then select Import. This starts the SSL certificate import wizard.
  • Click the Browse button and locate the intermediate certificate file that you downloaded from the certificate provider.

       

  • Click Next.
  • Choose Place all certificates in the following store, making sure that Intermediate Certification Authorities is the selected store.

      

  • Click Next.
  • Click Finish. If everything goes as planned Windows will indicate that the import was successful. To see if the intermediate certificate solved the not verified problem the administrator encountered previously go back to the IIS manager and click the View Certificate button again. Now it should give the full certification chain.

           
 

          

Once complete, browse to Web TimeSheet using https and the administrator would get a lock icon and that the details for the certificate match and it would be on 2048 Bit encryption as shown the figure below.