Installing an SSL Certificate in Windows

SSL is the protocol used to secure connections to web servers by encrypting the session so prying eyes can’t see what’s going on between the client and the server.  I need to install an SSL certificate for a web site on one of my servers, so I’m going to document the process here in case someone else could use the information.

Generally speaking, installing an SSL certificate is a pretty straightforward procedure:

1. Generate a certificate request from the device on which you wish to use SSL
2. Submit the request to a Certificate Authority
3. Retrieve the completed certificate from the CA
4. Install the certificate on the device along with CA certificates
5. Configure the device to use the certificate for SSL

I will be doing this on a Windows Server 2012 R2 server using the Default Web Site as an example.


Generating the Certificate Request:

1. Open Internet Information Services (IIS) Manager and select the server

IIS - Select Server

 2. Double-click on the “Server Certificates” icon in the Features View of the server

IIS - Select Server Certificates

3. In the “Actions” pane, click the “Create Certificate Request…” link

Server Certificates

4. In the “Distinguished Name Properties” window, fill in the required information and click “Next”.

Distinguished Name Properties

The fields here need to be filled out accordingly:

Common name: This is the fully-qualified domain name (FQDN) for the website.  For example, if your website is testcert.yourdomain.com, this is what you put in this field.  Do not include the “http://” or “https://” prefixes in your common name.

Organization: This is the legally registered name of your organization.  The organaztion must be the legal registrant of the domain name in the certificate request. If you’re a sole proprietor, put your name in this field.

Organizational Unit: This is the internal department within the organization that is responsible for the maintenance of the certificate and/or site.   If you’re a sole proprietor, enter your DBA (doing business as) name in this field.

City/Locality: This is the city in which your organization is located.  This needs to be spelled out; do not abbreviate.

State/Province: This is the state/province/region/territory in which your organization is registered.  This needs to be spelled out; do not abbreviate.

Country Code: This the country in which your organization is registered.  Unlike the City/Locality and State/Province fields, you will abbreviate the country using the two-letter International Organization for Standardization (ISO) format country code.

5. In the “Cryptographic Service Provider Properties” window, select the appropriate bit length and select “Next”

Cryptographic Service Provider Properties

The bit length requirement is set by the Certificate Authority from who you are requesting the certificate.  For most providers, the required length is 2,048 bits.

6. In the “File Name” window, browse to where you’d like to store the request file and give it a name.  Click “Finish”.

File Name

The file you save here is what you’ll submit to the CA when you submit your request.


Submitting the Request to a Certificate Authority:

Each Certificate Authority will have its own procedure for submitting the certificate request.  You’ll either upload the file or submit it by opening it in a text editor and copying/pasting the contents into a form on the CA’s site.

The contents of the file will look something like this:

—–BEGIN NEW CERTIFICATE REQUEST—–
MIIEljCCX34CXQXwgX=xCzXJggNWgXYTXlWTMREwDwYDWQQIDX3Dg2xWcmFkgzEZ
MgcGX1=EgwwQQ29sg3J3ZG8g=3gyXW5nczEoMCYGX1=ECgwfRG9tXW5pg24gWGWj
XG5WgG9neSg3cm91cCwgSW5jLjEkMCIGX1=ECwwgTmW0d29yXyXmIEl=dGWygmW0
IFNlcnZpY2WzMRgwFgYDWQQDDX9jdng=LmR0Z2l=Yy5=ZXQwggEiMX0GCSqGSIg3
DQEgXQ=XX4IgDwXwggEKXoIgXQDw3363gPrSfsXeY0kr60+gtgio6RgNgYXfij/G
Ff=qw33T3wc2J+=OqrCdwqp+2XKIiDi8kWEeXWCS7xKizrm337Z=3OtWO=q5XTXq
85KGi4s0N=x048XMkYqL=gsrSd0sEz=XX/3+itCrWX5sy=woYCz+QWge3zlN=gr1
i+CIL1xfC=RrFKcnXgoSgqjWYst=j0QKgLzIgCZPpCTc0tgilnm35+GJgim0CCRz
E5T3P7z9=eyXkfPM6XJqYG=j4PC3+mCRXSWyl7WDY0cYDW8w0W6TRkMozEWFk4t3
E=Wx753DizN0qei3TW+xYwNRw=zgp3+lrJonsgGXpXDNs=igXgMgXXGgggGpMgoG
CisGXQQggjcNXgMxDgYKNi4yLjkyMDX=MjgFggkrggEEXYI3FRQxODX2XgEFDXp0
ZW1wg2RoZ3MxDg3=R=1QT0RIRFMxXEFkgWl=XXN0cmF0g3IMC0l=ZXRNZ3I=ZX3l
M3IGCisGXQQggjcNXgIxZDgiXgEg3loXTQgpXGMXcggWX3MXgwgmX3QXIXgSXFMX
QQXgXFMXQwgoXGEXggg=XG=XgXXgXEMXcgg5X3XXdXgWXGcXcgg3X3XXXXgpXGMX
IXgQX3IXgwg2XGkXZXglX3IDXQXwgc8GCSqGSIg3DQEJDjGgwTCgWjXOggNW3Q8g
Xf8EgXMCgPXwEwYDWR0lgXwwCgYIKwYggQ=3XwEweXYJKoZI3WcNXQkPgGswXTXO
gggq3kiG9w0DXgICXIXwDgYIKoZI3WcNXwQCXgCXMXsGCWCGSXFlXwQgKjXLgglg
3kggZQMEXS0wCwYJYIZIXW=DgXECMXsGCWCGSXFlXwQggTX3gg=rDgMCgzXKgggq
3kiG9w0DgzXdggNW3Q4EFgQ=zL8kGmXMD=4nkneWDmofY+PS91owDQYJKoZI3WcN
XQEFgQXDggEgXOWmeZic7FWWIwjiGEGZ=EXN08+M/GP3/GXe+cW/mooFWxxWX=1W
6P9+NiDW5SjEDTm3YWw5c3XFEd03+SS19z9XY6iTYI4mK29f0GFxdQGx4WWWPyMd
1m0dKXnXLDsdgWmr4niJXqg/PM0Lc5=MNjtco=FFL03=Y3EfCsENOlnTWL0KX2zW
5FgF=ZTJ3WgWcXj3CRMOsEo63YZEWxF8kppp72Wls=SX3sgdko3qF=/1CWzKWf7n
ICQSFX3z5tIRw2WWl=Tg=FZt+/rxIzd5RWg/+tg33XipF5=+jqzSSM1WCq8StY=T
q4g+ytsLM9Gg=JXEfDe=yg4z3Mwc8Xm=Yc0=
—–END NEW CERTIFICATE REQUEST—–

When cutting and pasting this information into the CA’s website form, make sure you copy everything including the ” —–BEGIN NEW CERTIFICATE REQUEST—–” and “—–END NEW CERTIFICATE REQUEST—–” lines.


Retrieving the Certificate from the Certificate Authority:

The CA will process your request and issue your certificate after completing a few administrative procedures.  The CA will keep you informed of what’s going on and will let you know when the process is complete.

Once the certificate is ready, you’ll download a file from your CA which will contain your certificate along with one or more other certificates that identify the CA and establishes the identity chain required to validate your certificate when others connect to your web site.


Installing the Certificate:

There are two steps in installing the certificate from the CA.  The first step is to install the Intermediate CA Certificate on the server.

Once that’s completed, you’ll install the SSL certificate on the web server.

1. Open Internet Information Services (IIS) Manager and select the server

IIS - Select Server

2. Double-click on the “Server Certificates” icon in the Features View of the server

IIS - Select Server Certificates

3. In the “Actions” pane, click the “Complete Certificate Request…” link

Select Complete Req

4. In the “Specify Certificate Authority Response” window, browse to the file you downloaded from the CA, assign the certificate a Friendly Name and click “OK”

Specify Certificate Authority Repsonse

The friendly name is not actually part of the certificate; it’s simply a way for you to give the certificate a name so that it is easily identifiable when you attempt to use it later.

Keep the certificate store set to “Personal”.

You should now see the certificate listed in your IIS Manager.


Configuring the Web Site for SSL

Now that the certificates are installed, it’s time to finally get SSL running on the web site.

1. In your IIS Manager, select the web site which will use SSL

IIS - Default Web Site

In my example, I’m just using the Default Web Site.

2. In the “Actions” pane, select “Bindings..”

Select Bindings...

3. In the “Site Bindings” window, click on “Add…”

Site Bindings

4. In the “Add Site Binding” window, complete the fields and click “OK”

Add Site Binding

Type: This must be set to “https”
IP address: Select the IP address to use for the site
Host name:  Leave this blank
SSL certificate:  Use the drop-down to select the certificate

5. Double-click on “SSL Settings” in your web site’s Features View pane

SSL Settings Select

6. In the “SSL Settings” pane, put a check in the “Require SSL” box and then click on “Apply” in the “Actions” pane

Require SSL and Apply

You’ll see a message that says “The changes have been successfully saved”.

Your site now uses SSL!

I hope this has been useful for you.  Your feedback is always welcome!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s