Hi,
That's not what I'm saying. What I'm saying is: a) If you delete the Pending Request (from either Certificates MMC or using the IIS Wizard), then you lose the private key, and you can't import the certificate you get from Verisign and have it work. Instead, you'll only have the public key (in the cert), which isn't enough for IIS to be able to use the cert. b) You can use the old (expired) certificate on the website, whilst generating a new Cert Request. When the cert comes from Verisign, import it using the IIS Wizard, and switch over to using the new cert. There is no need to "down" the website, whilst this is all happening. The alternative is to generate the cert request, and import, using the Certificates MMC only. After you have imported the new cert, then tell IIS to use the new cert. Provided that your users are able to get past the fact that the old certificate has expired, you can continue using it whilst the renewal is being handled. Cheers Ken From: Graeme Carstairs [mailto:loonyto...@gmail.com] Sent: Saturday, 30 June 2012 5:59 PM To: NT System Admin Issues Subject: Re: Weird SSL issues on existing IIS6 WSS 3 site Thanks Ken so as long as I use the cert manager rather than IIS We should be golden. I'll get on it Monday AM Graeme On Saturday, 30 June 2012, ken schaefer wrote: Hi, The old, working cert already has a private key in the cert store. You can keep using that whilst you generate a new cert request, and submit it. When you get your new cert back, import it into the cert store, and then switch over to using it. You can see what's happening by using the certificates MMC, alongside the IIS Wizard. All the IIS wizard does is manipulate the Windows cert store. If you cancel the request in IIS, it deletes the entry under Pending Requests in the Certificates MMC, and you lose the private key. Sent from my Windows Phone _____ From: Graeme Carstairs Sent: 30/6/2012 3:13 PM To: NT System Admin Issues Subject: Re: Weird SSL issues on existing IIS6 WSS 3 site Hi Ken, I replied that the SSL Diagnostic showed that the verisign Certs had no private key, as did the internal corp CA issued one. and that I believed this was because we were breaking the CCR request due to trying to keep the site running by generating the CCR and the reapplying the old cert. Next step is to arrange a time with corporate to take the cert off, generate CCR and leave the site down until I can get the new cert and finish the request process. Graeme On Saturday, 30 June 2012, Ken Schaefer wrote: "We tried the SSL Diagnositcs (sic)" And the result was? when you use IIS to generate a CCR, if you cancel the request on the IIS server after the CCR has been sent to the registrar so you can install a certificate just to get the site back working, does that invalidate the CCR generated certs? If you do this, you lose the matching private key - your newly received certificate will not work FYI the internal CA ones cant validate the DNS domain that the site is accessed on. This doesn't even make sense. Can you think of a different way of explaining this? Or posting the actual configuration you are using and error(s) that you are seeing? As requested before, did you look in the Windows Event Logs and the httperr.log files? Cheers Ken From: Graeme Carstairs [mailto:loonyto...@gmail.com] Sent: Saturday, 30 June 2012 5:28 AM To: NT System Admin Issues Subject: Re: Weird SSL issues on existing IIS6 WSS 3 site Hi We tried the SSL Diagnositcs. The Verisign ones have no private key, so I have passed back to corporate to resolve this issue, along with a new CCR I ahve a question when you use IIS to generate a CCR, if you cancel the request on the IIS server after the CCR has been sent to the registrar so you can install a certificate just to get the site back working, does that invalidate the CCR generated certs? FYI the internal CA ones cant validate the DNS domain that the site is accessed on. Thanks guys hopefully the Cert guy at corporate can resolve this. graeme On 29 June 2012 15:07, Brian Hintz <bhi...@gmail.com> wrote: Check -- Good news everyone, you have just received an e-mail from me! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
