IIS 8.0, 8.5 & 10.0 SSL Administration

Download PDF

Introduction

 

When ordering an SSL certificate, a Certificate Signing Request (CSR) is required, this is generated from a private key.

 

If you create the CSR yourself, follow Installation from CSR.

If you do not create the CSR yourself, e.g. if you are using CSR-service or have exported the certificate from a different server, then follow Installation from .PFX file.

Installation from CSR

Installation of SSL certificate from a CSR generated on the server.

 

  1. Generating CSR directly on the server where the certificate is to be installed.
  2. Installation of certificate ordered via CSR on the server where the CSR has been generated.
  3. Binding of certificate to default website to configure the website to use the new certificate.
  4. Binding of certificate to extra websites follow this to use multiple websites with Server Name Indication (SNI).

Installation from .PFX file

Installation of SSL certificate from a .PFX file e.g. received via CSR-service.

 

  1. Installation of certificate via import of .PFX file from CSR-service or an export from another server.
  2. Binding of certificate to default website to configure the website to use the new certificate.
  3. Binding of certificate to extra websites follow this to use multiple websites with Server Name Indication (SNI).

Export of certificate to .PFX file

Export and installed SSL certificate to a .PFX file, e.g. as backup in case a server needs to be rolled back.

 

  1. Export of certificate to .PFX backup e.g. for installation on another server.

 

Generating CSR

 

  1. Log in to the server with an administrator account.

 

  1. Press windowskey + r

Type inetmgr

Click OK.

 

 

  1. Select the server where you want to create the CSR under Connections on the left.

Double click Server Certificates in the middle sections.

 

 

  1. Click Create Certificate Request under Actions on the right.

 

 

  1. Complete the certificate information:

 

    • Common Name (CN): The primary full internet domain name. e.g.: www.fairssl.dk
    • Organization Name (O): The full organisation name, exactly as presented in CVR. e.g.: FairSSL A/S
    • Organizational Unit (OU): The department that is to use the certificate. May not be possible to conflate with another organisation. We recommend leaving it blank or using the organisation name. e.g.: FairSSL A/S
    • Locality (L): City name. e.g.: Ørum Djurs
    • State (S): State or municipality, in Denmark the municipality is used. e.g.: Norddjurs
    • Country (C): ISO-standard two-letter country code, must be capital letters. e.g.: DK

 

Click Next.

 

 

  1. Select the following:

 

    • Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider
    • Bit Length: 2048

 

Click Next.

 

 

  1. Type in a path and a file name to save the CSR file.

Click Finish.

 

 

  1. Open the CSR file with a text editor (e.g. notepad) and copy the entire text, incl. all the dashes at the beginning and end.

During the certificate ordering process you paste the text into the CSR field.

The following is an example of a complete CSR text:

 

 

A CSR does not contain any confidential information, and there is no security risk by sending it through an unencrypted mail or similar.

 

Installation of certificate ordered via CSR

 

We recommend that you start by installing the intermediate certificate.

You have received this along with your server certificate.

 

Installation of intermediate certificate

 

The follow describes how the intermediate certificate is imported into a windows server.

 

Please note that Windows sometimes installs the intermediate certificate, but there is no harm in installing it manually, you will just get a warning that is already installed on the server.

 

  1. Log in to the Exchange server with an administrator account.

Copy the intermediate certificate text from the email with your new certificate into a simple text editor (like Notepad). Save the file on your desktop with as intermediate.cer

 

  1. Press windowskey + r

Type in mmc.exe

Click OK.

 

 

  1. Click File and then Add/Remove snap-in.

 

 

  1. Select Certificates.

Click Add.

 

 

  1. Select Computer account.

Click Next.

 

 

  1. Select Local computer.

Click Finish.

Click OK.

 

 

  1. Expand Certificates (Local Computer) and Intermediate Certificate Authorities.

Right click Certificates.

Select All Tasks.

Click Import.

 

 

  1. Click Browse and select the file you saved on the desktop.

Click Next.

 

 

  1. Select Automatically select the certificate store based on the type of certificate.

Click Next.

Click Finish.

 

 

Here you can find the intermediate certificates from different Certificate Authorities.

We recommend that you use the intermediate certificate you got with your server certificate, and only download from here in case you lose it, as the one you get in the mail will always be the correct one for your server certificate.

 

Intermediate certificates

 

Installation of server certificate

 

  1. Log in to the server with an administrator account.

 

  1. Press windowskey + r

Type in inetmgr

Click OK.

 

 

  1. Select the server where you created the CSR under Connections on the left.

Double click on Server Certificates in the middle section.

 

 

  1. Click Complete Certificate Request under Action on the right

 

 

  1. Click the three dots and locate the certificate file, then click Open.

Enter the following information:

 

    • Friendly name: Here you can create a friendly name or description that makes it easier to identify the certificate. This can be changed later on, and it not an integral part of the certificate.
    • Select a certificate store for the new certificate: select Personal

 

Click OK to install the certificate on the server.

 

 

The certificate is now installed, but you still need to bind it to the correct website in the IIS manager.

 

Installation of certificate via import of .PFX file

 

  1. Log in to the server with an administrator account.

Save the .PFX file somewhere where it's easy to locate like the desktop.

 

  1. Press windowskey + r

Type in mmc.exe

Click OK.

 

 

  1. Click File and then Add/Remove snap-in.

 

 

  1. Select Certificates.

Click Add.

 

 

  1. Select Computer account.

Click Next.

 

 

  1. Select Local computer.

Click Finish.

Click OK.

 

 

  1. Expand the folders until Personal appears.

Right click Personal.

Select All Tasks.

Click Import.

 

 

  1. Click Browse and find where you saved the .PFX file.

 

 

  1. Change the format to Personal Information Exchange (*..PFX;*.p12) in the lower right corner, and select the correct file.

Click Open.

Click Next.

 

 

  1. If the file is protected with a password (standard), you need to type this in here.

If you used CSR-service you have received the password in an SMS.

Click Next.

 

 

  1. Select Automatically select the certificate store based on the type of certificate.

Click Next.

Click Finish.

 

 

Binding of certificate to websites

 

If you have different certificates for different websites, you need to install all of them on the server.

 

Give each certificate a different Friendly name so it's easy to figure out which website to use the certificate with, that way it's easier to find them when you need them.

 

Binding of certificate to default website

 

  1. Log in to the server with an administrator account

 

  1. Press windowskey + r

Type in inetmgr

Click OK.

 

 

  1. In the IIS Manager, select the server where the certificate is installed under Connections on the left.

Expand the folders and select the website that is to use the certificate.

Click Bindings under Actions on the right.

 

 

  1. Click Add.

If there is already an https binding, select that and click Edit instead.

 

 

  1. Fill in the following information:

 

    • Type: Select https
    • IP address: Select All Unassigned (default) or the server's IP address
    • Port: Type in the port number for the service (typically 443 for https)
    • Host name: Must be left blank on the default website. It is only possible to have one default website per IP/port combination, all other websites on the same IP/port will use Server Name Indication (SNI) and must have a host name
    • Require Server Name Indication: Leave blank for the default website
    • SSL certificate: Select the certificate you just installed, if you have multiple similar certificates, you can click View to verify it's the correct certificate

 

Click OK.

Click Close.

 

 

 

All the websites are now configured to accept secure connections over HTTPS.

We recommend that you test the installation with our server tester on https://www.fairssl.net/en/ssltest/

 

Binding of certificate to extra websites

 

  1. Log in to the server with an administrator account

 

  1. Press windowskey + r

Type in inetmgr

Click OK.

 

 

  1. In the IIS Manager, select the server where the certificate is installed under Connections on the left.

Expand the folders and select the website that is to use the certificate.

Click Bindings under Actions on the right.

 

 

  1. Click Add.

If there is already an https binding, select that and click Edit instead.

 

 

  1. Fill in the following information:

 

    • Type: Select https
    • IP address: Select All Unassigned (default) or the server's IP address
    • Port: Type in the port number for the service (typically 443 for https)
    • Host name: The DNS name the binding is to react on
    • Require Server Name Indication: Check this
    • SSL certificate: Select the certificate you just installed, if you have multiple similar certificates, you can click View to verify it's the correct certificate

 

Click OK.

Click Close.

 

 

Repeat until all the websites has their bindings configured.

NOTE: If you have a website with multiple names, e.g. www.fairssl.dk and fairssl.dk you need to create a binding for each name the website uses.

 

All the websites are now configured to accept secure connections over HTTPS.

We recommend that you test the installation with our server tester on https://www.fairssl.net/en/ssltest/

 

Updating security

 

When a server is installed it will get default settings oon security, which are not automatically updated.

Even when you have set it to use best practice, the settings will get outdated as time pass and security holes are found.

 

This is why we recommend that you check and update the security settings every time you update the certificate, so they are always set optimally.

 

To help with this we recommend that you use IIS Crypto, which can be downloaded free from Nartac Software.

 

We have a guide to use IIS Crypto here.

 

Export of certificate to .PFX backup

 

  1. Log in to the server with an administrator account.

 

  1. Press windowskey + r

Type in mmc.exe

Click OK.

 

 

  1. Click File and then Add/Remove snap-in.

 

 

  1. Select Certificates.

Click Add.

 

 

  1. Select Computer account.

Click Next.

 

 

  1. Select Local computer.

Click Finish.

Click OK.

 

 

  1. Expand the folders until Certificates becomes visible under Personal then click it.

Right click the certificate you want to export.

Select All Tasks.

Click Export.

 

 

  1. Select Yes, export the private key.

Click Next.

 

 

  1. Select Personal Information Exchage - PKCS #12 (.PFX).

Click Next.

 

 

  1. Check Password: and type in a password to protect the .PFX file with (remember to store the password in a secure location).

Click Next.

 

 

  1. Select a place to save the .PFX file and give it a name so you can remember what it is for.

Click Next.

Click Finish.