Gather the information that you will need to create the SSL Certificate.
Someone in your IT group will probably want the fields populated with certain
data.
Issued To: This will be your DNS name.
(ie: google.com, abc.com, qacontent.abc.com, prodcontent.abc.com etc...)
Friendly Name: <your dns name>_YYYYMMDD (Anything you want.
This is just my suggestion especially if you have several servers.)
Country / Region: <2 digit country code> (Note: This is a 2 digit
country code that you will pick from a drop down list)
State / Province: <your state>
City: <your city>
Organization: <name of your organization>
Organizational Unit: <name of your unit within the organization>
Cryptographic service provider: Microsoft RSA SChannel Cryptographic
Provider
Bit Length: 1024 (4096-default, 1024-Standard. Options: 384, 512, 1024,
2048, 4096, 8192, 16384 - )
Note: If the information changes this may affect the steps needed to renew or
create a new certificate.
Click on the link below that describes what you want to do:
Go to "New
Certificate" section. (next section)
Go to "Renew
Certificate" section.
Terms: FQDN - Fully Qualified Domain Name
Launch IIS manager. (Start, Programs, Administrative Tools, Internet Information
Service Manager)
Click on the name of the main server node in the top left under connections.
In the "IIS" section double click the "Server Certificates" icon.
In the right panel called "Actions" double click "Create Certificate Request"
Common name: <your FQDN> (ie: google.com, abc.com, qacontent.abc.com or
prodcontent.abc.com )
(As typed in the browser your FQDN without the www.)
Country / Region: <2 digit country code> (Note: This is a 2 digit
country code that you will pick from a drop down list)
State / Province: <your state>
City: <your city>
Organization: <name of your organization>
Organizational Unit: <name of your unit within the organization>
Click "Next".
Cryptographic service provider: Microsoft RSA SChannel Cryptographic
Provider
Bit Length: 1024 (4096-default, 1024-Standard. Options: 384, 512, 1024,
2048, 4096, 8192, 16384 - )
(Note: 1024 is the standard. Browsers may not support a higher encryption. Also,
128 bit encryption may cause problems with browser set to 40 bit unless you
order "Global Secure Site Probe Premium" from Versign.)
Specify a file name for the certificate request:
ie: c:\<your FQDN>_YYYYMMDD_certreq.txt
Click "Finish"
Send email to your IT Group who secures Certificates through a SSL Vendor.
Include the CSR (Certificate Signing Request) file created in step 1 as an
attachment.
-------------------------------------------
Example email:
-------------------------------------------
Email Title: CSR for <Description of Your Server> Server
Email Body:
IT Group,
Attached is the CSR (Certificate Signing Request) for the <description of your
server> server (<your FQDN>).
<attach the file>
Server Platform: Microsoft (Win 2008).
Select Version: IIS 7.5
What do you plan to use this SSL certificate for ?: Web Server.
Will also use with Tomcat app server which uses Apache web server.
Thanks,
<Your Name>
Your IT Group or SSL Vendor will email you the Certificate info in an email.
Create a text file with your certificate information that was emailed to you.
Save it to a file: <your FQDN>_<yyyymmdd>_certforserver.cer
Place this file in the root of the C: drive of the server (or any where you
desire on the server).
The first line should begin with the text from the email:
-----BEGIN CERTIFICATE-----
The last line should end with the text from the email:
-----END CERTIFICATE-----
If you have more than one cert in the email create a file for each cert:
Example:
<your FQDN>_20090312_ certforserver_Step1_intermediate.cer
<your FQDN>_20090312_ certforserver_Step2_root1.cer
<your FQDN>_20090312_ certforserver_Step2_root2.cer
<your FQDN>_20090312_ certforserver_Step3_primary.cer
Launch IIS manager. (Start, Programs, Administrative Tools, Internet Information
Service Manager)
Click on the name of the main server node in the top left under connections
In the "IIS" section double click the "Server Certificates" icon.
In the right panel called "Actions" double click "Complete Certificate Request"
File name containing the Certificate authority's response:
Click on the button with 3 dots.
Locate the .cer file that you create in the prior step
Friendly name:
QA CDS Cert YYYYMMDD
or
PROD CDS Cert YYYYMMDD
(Note: If you have any Intermediate certificates you can apply them later in
this document.)
Launch IIS manager.
Click on "Default Web Site" (name of the server, Sites, Default Web Site)
In the right panel called "Actions" double click "Bindings"
Click the "Add" button.
Change the type to "https", IP Address = All Unassigned, Port 443.
SSL Certification: locate the Cert that you installed by choosing the correct
"Friendly Name".
Click "OK".
The binding should now show up in the "Site Bindings" list.
Before you test you need to apply any "Intermediate" certificates.
If you don't apply them you will get a "Certificate Not Trusted Error".
Open up "Windows Explorer" and double click on the ".cer" file.
Click the "Install Certificate" button to start the Install Wizard.
Click "Next"
Select - "Place all certificates in the following store."
Click - Browse.
Click the box - Show physical stores.
Expand the "Intermediate Certification Authorities" folder, select the Local
Computer folder beneath it.
Click OK.
Click Next, then Finish to finish installing the intermediate certificate.
Stop/Start IIS so the changes will become active.
Create a test directory called: wwwroot/inetpub/ssltesting
Create a test HTML file in that directory called: index.html
<html>
<title>ssltesting index</title>
<body>
<p>SSL Testing index file</p>
</body>
</html>
Launch: Internet Information Services,
Navigate to: Sites, Default Web Site, ssltesting
Double click on "ssltesting".
In the IIS section double click "SSL Settings".
Check - Require SSL
Click "Apply" in the right panel.
Click here to go to the section to test your install.
Terms: FQDN - Fully Qualified Domain Name
Launch IIS manager (Start, Programs, Administrative Tools, Internet Information
Service Manager)
Click on the name of the main server node in the top left under connections
In the "IIS" section double click the "Server Certificates" icon.
Select and highlight the expiring certificate that you want to renew.
In the right panel called "Actions" double click "Renew"
Choose the second option, Create a renewal certificate request. Click Next.
Specify a file name for the certificate request:
ie: c:\<your FQDN>_YYYYMMDD_certreq.txt
ie: c:\<your FQDN>_YYYYMMDD_certreq.txt
Click "Finish"
Send email to your IT Group who secures Certificates through a SSL Vendor.
Include the CSR (Certificate Signing Request) file created in step 1 as an
attachment.
Email Title: CSR for <Description of Your Server> Server (SSL Renewal)
Email Body:
David,
Attached is the CSR (Certificate Signing Request) for the <Description of
Your Server> server (<your FQDN>).
We need to renew the Certificate.
<attach the file>
Server Platform: Microsoft (Win 2008).
Select Version: IIS 7.5
What do you plan to use this SSL certificate for ?: Web Server.
Will also use with Tomcat app server which uses Apache web server.
Thanks,
<Your Name>
Your IT Group or SSL Vendor will email you the Certificate info in an email.
Create a text file with your certificate information that was emailed to you.
Save it to a file: <your FQDN>_<yyyymmdd>_certforserver.cer
Place this file in the root of the C: drive of the server (or any where you
desire on the server).
The first line should begin with the text from the email:
-----BEGIN CERTIFICATE-----
The last line should end with the text from the email:
-----END CERTIFICATE-----
If you have more than one cert in the email create a file for each cert:
Example:
<your FQDN>_20090312_ certforserver_Step1_intermediate.cer
<your FQDN>_20090312_ certforserver_Step2_root1.cer
<your FQDN>_20090312_ certforserver_Step2_root2.cer
<your FQDN>_20090312_ certforserver_Step3_primary.cer
Launch IIS manager. (Start, Programs, Administrative Tools, Internet Information
Service Manager)
Click on the name of the main server node in the top left under connections
In the "IIS" section double click the "Server Certificates" icon.
In the right panel called "Actions" double click "Renew"
From the Renew an existing certificate dialog box choose the third option,
Complete certificate renewal request.
Click Next
From the Specify Certification Authority Response dialog box, browse to the
renewal certificate file you created.
Click Finish.
(Wait a few seconds.)
Click on the Certificate you just renewed and check the new Expiration Date to
make sure the certificate was applied.
IIS Test of SSL:
Test the install by selecting the web site under the Web Sites folder on the
left-hand Connections pane (usually listed as the Default web site). Then from
the right-hand Actions pane select Browse *.443 (https) under the Browse Web
Site section.
http://www.sslshopper.com/ssl-checker.html - SSL test/checker.
https://<your FQDN>/index.html - should work.
(localhost: https://localhost/ssltesting/index.html )
(Note: Click on the "Lock" icon then "View Certificates" to see the details.)