I currently have a wildcard SSL certificate running on IIS 6 and needs to be renewed. The new certificate bit-strength is now 2048 (the current one that needs to be renewed is 1024). Is there any easy way to get a certificate request file that is 2048 bit when renewing from a 1024?
I don't see the option to change bit strength for renewing an SSL certificate (I only see this when creating a totally new one from scratch).
I recently had to do this very same thing, and the way I did it was I had to remove the current certificate completely, then add a new certificate fresh, otherwise, I could not figure out how to update the CSR from 1024 to 2048, which is now a requirement.
So, to answer your question, remove the current certificate first (this might be tricky if it's a busy online store), then go through the wizard and switch the CSR from 1024 to 2048.
Not the best answer, I know, but the only one I could seem to find right off (and the easiest)
Be warned about trying to get clever with this one. I just got myself in a big mess trying to do exactly this same thing without any downtime.
What I did was :
create another website and generate a cert request for that. made sure to put in the correct common name when generating the request.
I downloaded the certificate that was generated and installed it in my 'Personal' certificates for the Local Computer account (after adding certificate snap in).
Did 'replace' on the main website for the certificate and chose the new updated one.
I ended up getting this error (as reported by Chrome) when accessing the https site.
(net::ERR_SSL_PROTOCOL_ERROR): Unknown error
After playing around and switching back to the original certificate I ended up just removing it and re-keying the certificate. It only led to 1-2 minutes of downtime.
I do think that if you do what I was attempting in the correct order you'd be fine. I think you need to export the .pfx file and then import that. I think whats happening is the original server didnt have the correct private key or something like that and was getting confused.
So I'm upvoting calweb :-)
Here's a Microsoft KB article explaining how to do it. Seems similar to what Simon tried:
Renewing existing SSL and purchasing new one - both are same. Because certificate authorities (CA) requires you to submitting CSR key and the organization information.
Work around the Microsoft IIS 6 / 7 hosting servers, windows let you generate the renewal CSR key beyond reminding the CSR values. Now if you try generating RENEWAL CSR, system would fetch the key values from existing certificate or IIS cache. As you asked you have used 1024 bit encryption bit value earlier, your server will generate the renewal CSR with same value. Now your concern is generating CSR with 2048 bit certificates. Well, you do have only the option removing current SSL certificate and start generating new CSR key with 2048 bit.
Now a days many SSL providers supports both 1024 bit and 2048 bit CSR keys. Rapidssl wildcard certificate supports 1024 bit CSR keys and GeoTrust and Thawte wildcard certificate supports 1024 bit as well 2048 bit CSR keys. You may review all these products at clickssl.com. You may ask click ssl online support for detailed information on wildcard ssl certificates before you choose any of them.
Before following Eric answer check http://www.hostgatorcouponcodex.com/blog/cheapssls-are-they-good/