Changing intermediate chain SSL certificate in IIS on Windows Server

Changing the intermediate SSL certificate of a site in IIS without reboot

Recently had to change the intermediate chain SSL certificate on a lot of sites due to the intermediate being revoked since it was not issued correctly (wrong serial number entropy). Just adding the new intermediate SSL certificate to Certificate store in Windows and removing the old one, nor an iisreset, did actually implement the change. This is the easy way I ended up changing it, without doing a reboot of the server.

As can be seen I've setup a lab server running IIS with a site that has an Let's Encrypt certificate. Just for this example, We'll switch out the Let's Encrypt Authority X3 intermediate certificate signed by DST Root CA X3, with the new Let's Encrypt Authority X3 intermediate certificate signed by ISRG Root X1. post27-image01

First we're adding the new intermediate SSL certificate to the Windows Certificate store.

post27-image02

post27-image03

post27-image04

After just adding the new certificate, and removing the old, the IIS site still presents the same old intermediate.

post27-image05

Even after an “iisreset” it still sticks to the old.

post27-image06

post27-image07

Now to acutally do the change, enter IIS Manager, and go to the site.

post27-image08

Open “Bindings”, and click “Edit” on the port with SSL.

post27-image09

Now in the select box called “SSL certificate”, re-choose the same SSL certificate as preiously.

post27-image10

Then just press OK, and close the windows. The intermediate chain of the SSL certificate has now changed to the new.

post27-image11


comments powered by Disqus