IIS 7 SSL Administration

Introduction

A Certificate Signing Request is required when ordering an SSL-certificate, this is generated from a private key.

If you generate the CSr yourself, follow Installation from CSR.

If you haven't generated the CSR yourself, e.g. you have used our CSR-service or have exported the certificate from a different server, then follow Installation from .PFX fil.

Installation from CSR

Installation of SSL certificate from a CSR generate on the server.

1. Generating a CSR directly on the server the certificate is to be installed on.
2. Installation of certificate ordered via CSR on the server the CSR is generated on.
3. Binding certificate to website to configure the website to use the new certificate.

Installation from .PFX fil

Installation of SSL certificate from a .PFX file, e.g. received via our CSR-service.

1. Installation of certificate from .PFX file from CSR-service or export from a different server.
2. Binding certificate to website to configure the website to use the new certificate.

Export of certificate to .PFX file

Export of an already installed certificate to a .PFX file, e.g. as backup if a server needs to be rolled back.

1. Export of certificate to .PFX backup e.g. for installation on a different server.

Generating a CSR

1. Log in to the server with an administrator account.

2. Press windowskey + r

Type inetmgr

Click OK.

3. Select the server where you want to create the CSR under Connections on the left.

Double click Server Certificates in the middle sections.

4. Click Create Certificate Request under Actions on the right.

5. Complete the certificate information:

• Common Name (CN): The primary full internet domain name. e.g.: www.fairssl.dk
• Organization Name (O): The full organisation name, exactly as presented in CVR. e.g.: FairSSL A/S
• Organizational Unit (OU): The department that is to use the certificate. May not be possible to conflate with another organisation. We recommend leaving it blank or using the organisation name. e.g.: FairSSL A/S
• Locality (L): City name. e.g.: Ørum Djurs
• State (S): State or municipality, in Denmark the municipality is used. e.g.: Norddjurs
• Country (C): ISO-standard two-letter country code, must be capital letters. e.g.: DK

Click Next.

6. Select the following:

• Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider
• Bit Length: 2048

Click Next.

7. Type in a path and a file name to save the CSR file.

Click Finish.

8. Open the CSR file with a text editor (e.g. notepad) and copy the entire text, incl. all the dashes at the beginning and end.

During the certificate ordering process you paste the text into the CSR field.

The following is an example of a complete CSR text:

A CSR does not contain any confidential information, and there is no security risk by sending it through an unencrypted mail or similar.

Installation of certificate ordered via CSR

We recommend that you start by installing the intermediate certificate.

You have received this along with your server certificate.

Installation of intermediate certificate

1. Log in to the server with an administrator account.

2. Copy the intermediate certificate text from the email with your new certificate into a simple text editor (like Notepad).

Save the file on your desktop with as intermediate.cer

3. Press windowskey + r

Type in mmc

Click OK.

4. Click File and then Add/Remove snap-in.

5. Select Certificates.

Click Add.

Click OK.

6. Select Computer account.

Click Next.

7. Select Local computer.

Click Finish.

Click OK.

8. Expand Certificates (Local Computer) and Intermediate Certificate Authorities.

Right click Certificates.

Select All Tasks.

Click Import.

9. Click Browse and select the file you saved on the desktop.

Click Next.

10. Select Automatically select the certificate store based on the type of certificate.

Click Next.

Click Finish.

Here you can find the intermediate certificates from different Certificate Authorities.

We recommend that you use the intermediate certificate you got with your server certificate, and only download from here in case you lose it, as the one you get in the mail will always be the correct one for your server certificate.

Intermediate certificates

Installation of server certificate

1. Login to the server with an administrator account.

2. Open a test editor like notepad.

Copy the server certificate text from the email (remember all the dashes before and after).

Save the file as www.fairssl.dk.cer

3. Press windowskey + r

Type inetmgr

Click OK.

4. Under Connections i venstre side klik på den server hvorpå du har lavet din CSR.

I det midten dobbeltklik på Server Certificates.

5. Click Complete Certificate Request under Action on the right

6. Click the three dots and locate the certificate file, then click Open.

Enter the following information:

• Friendly name: Here you can create a friendly name or description that makes it easier to identify the certificate. This can be changed later on, and it not an integral part of the certificate.

Click OK to install the certificate on the server.

The certificate is now installed, but you still need to bind it to the correct website in the IIS manager.

Installation of certificate from .PFX file

1. Log in to the server with an administrator account.

Save the .PFX file somewhere where it's easy to locate like the desktop.

2. Press windowskey + r

Type in mmc

Click OK.

3. Click File and then Add/Remove snap-in.

4. Select Certificates.

Click Add.

Click OK.

5. Select Computer account.

Click Next.

6. Select Local computer.

Click Finish.

Click OK.

7. Expand the folders until Personal appears.

Right click Personal.

Select All Tasks.

Click Import.

8. Click Browse and find where you saved the .PFX file.

9. Change the format to Personal Information Exchange (*..PFX;*.p12) in the lower right corner, and select the correct file.

Click Open.

Click Next.

10. If the file is protected with a password (standard), you need to type this in here.

If you used CSR-service you have received the password in an SMS.

Click Next.

11. Select Automatically select the certificate store based on the type of certificate.

Click Next.

Click Finish.

Binding certificate to website

1. Log in to the server with an administrator account.

2. Press windowskey + r

Type inetmgr

Click OK.

3. In the IIS Manager, select the server where the certificate is installed under Connections on the left.

Expand the folders and select the website that is to use the certificate.

Click Bindings under Actions on the right.

4. Click Add.

If there is already an https binding, select that and click Edit instead.

5. Fill in the following information:

• Type: Select https
• IP address: Select All Unassigned (default) or the server's IP address
• Port: Type in the port number for the service (typically 443 for https)
• SSL certificate: Select the certificate you just installed, if you have multiple similar certificates, you can click View to verify it's the correct certificate

Click OK.

Click Close.

The website is now configured to accept secure connections over HTTPS.

We recommend that you test the installation with our server tester on https://www.fairssl.net/en/ssltest/

Export of certificate to .PFX backup

1. Log in to the server with an administrator account.

2. Press windowskey + r

Type in mmc

Click OK.

3. Click File and then Add/Remove snap-in.

4. Select Certificates.

Click Add.

5. Select Computer account.

Click Next.

6. Select Local computer.

Click Finish.

Click OK.

7. Expand the folders until Certificates becomes visible under Personal then click it.

Right click the certificate you want to export.

Select All Tasks.

Click Export.

8. Select Yes, export the private key.

Click Next.

9. Select Personal Information Exchage - PKCS #12 (.PFX).

Click Next.

10. Check Password: and type in a password to protect the .PFX file with (remember to store the password in a secure location).

Click Next.

11. Select a place to save the .PFX file and give it a name so you can remember what it is for.

Click Next.

Click Finish.