SSL Certificate installation (Windows Server 2008 (IIS 7.0))

To totally unlock this section you need to Log-in


Login

Windows Server 2008 includes Internet Information Services (IIS) 7.0. This new version makes several big changes in the way that SSL certificates are generated, making it much easier than previous versions of IIS. In addition to the new method of requesting and installing SSL certificates, IIS 7 includes the ability to:

  • Request more than one SSL certificate at a time.
  • Import, export, and renew SSL certificates easily in IIS.
  • Quickly create a self-signed certificate for testing.

This article will walk you through the process of ordering an SSL certificate from a commercial certificate authority and installing it on an IIS 7 Windows Server 2008 machine. The process will also work for later versions such as Windows Server 2016 and IIS 8 and IIS 10 with some small modifications.

The first step in ordering an SSL certificate is generating a Certificate Signing Request.

What is a CSR (Certificate Signing Request)?

A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate. A private key is usually created at the same time that you create the CSR, making a key pair. A CSR is generally encoded using ASN.1 according to the PKCS #10 specification.

A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.

What is contained in a CSR?

Name Explanation Examples
Common Name The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.

*.google.com
mail.google.com

Organization The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. Google Inc.
Organizational Unit The division of your organization handling the certificate. Information Technology
IT Department
City/Locality The city where your organization is located. Mountain View
State/County/Region The state/region where your organization is located. This shouldn’t be abbreviated. California
Country The two-letter ISO code for the country where your organization is location. US
GB
Email address An email address used to contact your organization. [email protected]
Public Key The public key that will go into the certificate. The public key is created automatically

What does a CSR look like?

Most CSRs are created in the Base-64 encoded PEM format. This format includes the “—–BEGIN CERTIFICATE REQUEST—–“ and “—–END CERTIFICATE REQUEST—–“ lines at the begining and end of the CSR. A PEM format CSR can be opened in a text editor and looks like the following example:

—–BEGIN CERTIFICATE REQUEST—–
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w
HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v
Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV
IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr
WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J
cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl
4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH
Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D
6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn
—–END CERTIFICATE REQUEST—–

How do I decode a CSR?

In order to decode a CSR on your own machine using OpenSSL, use the following command:

openssl req -in server.csr -noout -text

What is a CSR/Private Key’s bit length?

The bit-length of a CSR and private key pair determine how easily the key can be cracked using brute force methods. As of 2016, a key size of less than 2048 bits is considered weak and could potentially be broken in a few months or less with enough computing power. If a private key is broken, all the connections initiated with it would be exposed to whomever had the key.

Create the Certificate Signing Request

This is very easy to do in IIS7 using the following instructions. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

In the Actions column on the right, click on Create Certificate Request…:

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

Enter all of the following information about your company and the domain you are securing and then click Next.

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

Name Explanation Examples
Common Name The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.

*.google.com
mail.google.com

Organization The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. Google Inc.
Organizational Unit The division of your organization handling the certificate. (Most CAs don’t validate this field) IT
Web
City/Locality The city where your organization is located. Mountain View
State/province The state/region where your organization is located. This shouldn’t be abbreviated. California
Country/Region The two-letter ISO code for the country where your organization is location. US
GB

Leave the default Cryptographic Service Provider. Increase the Bit length to 2048 bit or higher. Click Next.

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

Click the button with the three dots and enter a location and filename where you want to save the CSR file. Click Finish.

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

Once you have generated a CSR you can use it to order the certificate from a certificate authority. Once you paste the contents of the CSR and complete the ordering process, your order is validated, and you will receive the SSL certificate file.

Install the Certificate

To install your newly acquired SSL certificate in IIS 7, first copy the file somewhere on the server and then follow these instructions:

Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager, then click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

In the Actions column on the right, click on Complete Certificate Request…:

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

Click the button with the three dots and select the server certificate that you received from the certificate authority. If the certificate doesn’t have a .cer file extension, select to view all types. Enter any friendly name you want so you can keep track of the certificate on this server. Click OK.

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

If successful, you will see your newly installed certificate in the list. If you receive an error stating that the request or private key cannot be found, make sure you are using the correct certificate and that you are installing it to the same server that you generated the CSR on. If you are sure of those two things, you may just need to create a new Certificate Request and reissue/replace the certificate. Contact your certificate authority if you have problems with this.

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

Bind the Certificate to a website

In the Connections column on the left, expand the sites folder and click on the website that you want to bind the certificate to. Click on Bindings… in the right column.

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

Click on the Add… button.

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

Change the Type to https and then select the SSL certificate that you just installed. Click OK.

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

You will now see the binding for port 443 listed. Click Close.

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

Install any Intermediate Certificates

Most SSL providers issue server certificates off of an Intermediate certificate so you will need to install this Intermediate certificate to the server as well or your visitors will receive a Certificate Not Trusted Error. You can install each Intermediate certificate (sometimes there is more than one) using these instructions:

  • Download the intermediate certificate to a folder on the server.
  • Double click the certificate to open the certificate details.
  • At the bottom of the General tab, click the Install Certificate button to start the certificate import wizard. Click Next.

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

Select Place all certificates in the following store and click Browse.

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

Check the Show physical stores checkbox, then expand the Intermediate Certification Authorities folder, select the Local Computer folder beneath it. Click OK. Click Next, then Finish to finish installing the intermediate certificate.

SSL Certificate installation (Windows Server 2008 (IIS 7.0))

You may need to restart IIS so that it starts giving out the new certificate. You can verify that the certificate is installed correctly by visiting the site in your web browser using https instead of http.