Renew an SSL certificate on Windows server

How to renew an SSL certificate on Windows server. Generate a certificate signing request (CSR), get a Wildcard SSL certificate, verify domain ownership and import the certificate on Windows.

1. Generate a CSR for certificate renewal on Windows

A Certificate signing request (CSR) can be created on any Windows computer, but the certificate has to be imported on the same machine that was used to create the CSR. You should use a server that everyone can access rather than your own personal laptop.

In this example, we are going to use Windows server to generate the CSR using the DigiCert certificate utility

Download the DigiCert certificate utility and extract to C:\Certificates
https://www.digicert.com/support/tools/certificate-utility-for-windows

Run DigiCertUtil.exe

Click I Accept

Create CSR

Enter the SSL certificate details

Certificate Type: SSL
Common Name: *.yourdomain.com
Subject Alternative Names: yourdomain.com
Organization: Your Organization
City: Your City
Country: Your Country
Key Size: 2048

Click Generate

Save to File

Save the CSR to a folder e.g. C:\Certificates\YourDomain2023\_your_domain_com.txt

Click OK and close the Digicert certificate utility

2. Get Wildcard SSL certificate from Alpha SSL

In this example, we are using getting a wildcard SSL certificate from Alpha SSL. The steps will be similar for other SSL certificate providers

https://www.alphassl.com/ssl-certificates/wildcard-ssl

Click Buy Now

Select your region then Buy your certificate

SSL Certificate Type: Wildcard SSL Certificate

Click Continue

Enter your Organization details

Copy and paste the CSR

You can ignore the warning about the use of the * character

Click continue

Check the certificate contents then click Continue

To get an SSL certificate, you will need to verify your domain using either email, http or DNS.
In this example, we are using DNS verification

Click Use DNS verification

Select payment method, then enter your credit card details and email address

Agree to the subscriber agreement and click Complete

3. Verify domain ownership

To complete the SSL certificate purchase, you will need to verify your domain by adding the DNS TXT record

This example is for adding a DNS TXT record to Amazon Route 53

Record type: TXT
Value: Paste the DNS TXT record from Alpha SSL
TTL: 1 min or 1 hour

Create records

Use nslookup to check DNS TXT records

Wait for the DNS changes to propagate. This could take up to an hour depending on your DNS provider

You can use nslookup to check if the Global sign TXT record has updated

nslookup -q=txt yourdomain.com 8.8.8.8

Click the link in the email to complete domain verification

Verify my Domain

4. Import Certificate on Windows

Alpha SSL will send another email when the SSL certificate has been issued

Copy the SSL certificate from the email into notepad

Save the certificate as a .cer file on the server where you generated the CSR
e.g. C:\Certificates\YourDomain2023\yourdomain.com.cer

Open the Digicert Certificate Utility

Import

Browse for the .cer certificate file

Enter a friendly name for the SSL certificate

e.g. *.yourdomain.com

Click OK