Once, during my work, I have been asked to replace unsigned certificates with the signed ones for our Exchange email servers, so people using OWA will no longer see a “Certificate error” message. I made a little search and found cheap certificates on the web. So I started to look for a way to do a certificate request and replace current certificates with the new, signed ones. Unfortunately, I did not find any official way from Microsoft to do this in IIS 6.0 server causing no downtime to the web servers. The problem was as follows:
If I choose (in IIS Manager) to create a new Certificate request for the web site hosting MS Exchange OWA application then the website will be inaccessible (because the IIS in its glory will discard the previously used certificate and wait until the current request will be properly completed with the response from CA) till the day I will obtain the response from the CA. Such long downtime was of course not acceptable. Fortunately, I found a way to work around this limitation:
- I created a new, blank web site using IIS manager.
- Then I created the new certificate request for this blank website (however, which was VERY IMPORTANT, while creating this request I filled the CN attribute with the address of the web site hosting OWA application, NOT the address of the blank web site).
- I sent the request to CA and wait for their response.
- Once I got the response I completed the certificate request on the blank page which made the certificate to be fully installed in the certificate store for the IIS.
- At the end I just went back to the right web site (the one which was hosting OWA) and replaced the current certificate with the one, which was installed for the blank web site.
That did the trick and the web site did not suffer any downtime. Of course, this trick will work for any web site in IIS, not only the ones hosting OWA application.
Works perfectly!
Thank you!