Ssl – process for replacing old SSL certificate on IIS 6


Tomorrow SSL certificate for my web site will be expired, I was wondering should I replace new certificate with old one now or should wait for old one to be expired ? I don't want visitors to visit my web site and see the security warning but I also want to fully utilize older certificate. What process I should adopt to change my SSL so both concerns can be managed, kindly advice.


I have pfx file with password


Best Answer

I would recommend replacing it before its expiry. A certificate will usually expire on the morning of the expiry date, e.g. a certificate expiring on 3rd September 2013 will usually no longer be valid from midnight 2nd September 2013 (local server time.)

I'd also recommend looking at the peak usage of your web site to find the best time to replace the certificate (you may have a very brief outage while replacing it.) Ideally you should replace it at a time of least impact to your user population.

Process for installing certificate and binding to IIS6 Web Site

Installing the certificate (using .PFX file) Note that I use a more manual process in the following guide as some of the sites I support have complex set ups.


  • Launch IIS Manager

  • Expand the server name (local computer)

  • Expand the Web Sites option

  • Look for your site - this will either be under Default Web Site or a web site that you have named it

  • Right Click on your site and select Properties

  • Under the Web Site tab, Verify the Web Site identification and that it has the TCP port and SSL port options enabled (double checking that you are on the correct site)

I note the IP's, web site URL and the SSL port, and test using the server's local browser, and verify the certificate being presented including its validity date. I repeat this process at the end of the change to confirm the web server is presenting the correct certificate.

  • Close the properties dialog box.


  • From the Start menu select the Run command and type mmc

  • Click OK

  • From the MMC applet select the Console menu and click on Add/Remove Snap-in

  • Click on the Add button

  • Select the Certificates option

  • Click on the Add button

  • Select the Computer Account option and click Next

  • Accept the default of Local computer and click on the Finish button.

  • Click on the Close button

  • Click on the OK button

  • Expand the Certificates option

  • Expand the Personal certificate store

  • Click in the Certificates folder and it will show the installed certificates in the personal store. Your existing certificate should be listed here as well as its Issuing Authority and the Expiration date.

You can double click on the existing certificate if you want to display its details and certification path.

We now are going to install the new certificate.

  • Right click on the Certificates folder in the Personal store.

  • Select All Tasks

  • Select Import

The Certificate Import wizard will now start.

  • Click Next

  • We now want to select the certificate that has been provided. Click the Browse button to display a dialog that will allow us to navigate to the location of the files.

  • Select Files of type Personal Information Exchange (*.pfx, .p12) and browse to the drive and folder containing the certificate files.

You should see the certificate to install

  • Click on it and select Open

  • The path to the file will be shown in the browse dialog. Click Next

If the certificate has a password (which all server certificates almost certainly will) type in or paste the password. Make sure that the Mark this key as exportable does NOT have a tick against it - you don't want anyone who has direct access to be able to export your certificate and be able to impersonate your site. Click Next

  • Accept the default of Personal store and click Next.

  • Click on Finish and the file will be imported.

You will get a message stating if the import was successful.

In the Personal certificate store You will see the new certificate installed with it's expiry date. You will also see the old certificate present in the store as noted earlier.

I usually double click on the new certificate and confirm that it reports that the certificate is valid just to make sure.

  • Launch or switch to Internet Information Service Manager

  • Select the properties of the web site for which you are replacing the certificate (Right Click on the web site and select Properties)

  • Select the Directory Security tab

  • Under the Secure Communications section, click on Server Certificate

The IIS certificate wizard will appear giving various options.

  • Select the Replace the current certificate option

  • Click Next

A dialog will display the list of available certificates that can be associated to a web site. In this case we select the newly installed certificate with its new expiry date.

  • Highlight the file and click Next

  • The certificate details are displayed. Double check that this is the certificate you want to associate to the web site and then click Next.

The IIS Certificate Wizard will then report if it has successfully completed the replacement of the certificate on the web site.

Technical Post Implementation Validation (PIV)

  • Local server test (assuming you don't have the browser disabled)

  • Launch your browser on the server and enter the secure connection, IP address and port number (eg. https://mywebsiteaddress:443 )

  • Check that you can connect to the SSL port for the site.

You may see a certificate error if you are connecting via the IP address or the address you are entering doesn’t match the certificate details. Continue to the site and then display the certificate details to confirm that the certificate being presented by IIS has the new expiry date.

  • Check from a normal device that your users would use to access the web site and confirm that the correct certificate is being presented to your browser.

Clean Up

Once you have confirmed your certificate is renewed and working at the local server and remote client level.

Close IIS Manager applet.

In the Certificate MMC select the old certificate (double check it's the right one first!!) and delete it. This ensures that the old certificate will not be accidentally bound to the web site some time in the future.

It is also a recommended practice if you need to bind the certificate to a specific service account for your web site to delete the old one before binding to a service account. I haven't mentioned this as your question did not indicate that you had an app using a service account in conjuction with the web site.

Close the Certificate MMC and don't save it (unless you want to use it in the future.)