How to Create a Certificate Signing Request and Replace/Renew IIS certificate. Video tutorial and step-by-step text instructions.
Video Tutorial (Credit: BTNHD)
Step-by-Step Instructions
IIS versions:
6 = Server 2003
7 = Server 2008
7.5 = Server 2008 R2
8 = Server 2012
8.5 / 9.0 = Server 2012 R2
10 = Server 2016
Note: The server that you create/generate the Certificate Signing Request on (within IIS) is the same server you have to complete it on. You will be able to export it from IIS afterwards.
Step 1. Generate Certificate Signing Request (CSR) from within IIS.
Step 2. Provide the output of the CSR you performed in step 1 to your certificate handler/department who will be able to generate a new certificate from your vendor portal. Unless you are using an Internal CA, you would need access or someone who already has login credentials to a vendor portal from companies like Entrust, Verisign, Thawte or GoDaddy, which are all certificate providers or vendors.
Step 3. Once you have logged into the vendor portal, you would have to import or upload the CSR you generated and the cert vendor would then generate one back for you. They will most likely provide you with an emailed download link for the cert.
Step 4. Download the certificate zip package from Entrust (whoever your vendor is) onto the server you created the initial signing request in Step 1.
Step 5. Once you extract the certificates, you’ll have 3 files (you may have more depending on the request): Root.crt, Intermediate.crt, ServerCertificate.crt
Step 6. Launch IIS on the same server you created/generated the signing request, click on Server name, then select Server Certificates, then select Complete Signing Request from the right-hand menu.
Step 7. Once you do this, it will ask you to select the ServerCertificate.crt file (change the extensions file type to include ALL files or ANY files), navigate to the folder you extracted it to and select the ServerCertificate.
Step 8. Once you perform Step 7, it should automatically fill the Friendly Name field and allow you to complete the signing request. You should now see a certificate with the same Friendly Name listed in the Server Certificates section of IIS.
Step 9. Select the certificate that is newly listed in IIS, click on the EXPORT button. Once you do this, it’ll ask you to set a password (make this simple = YourCompanyName$$$) and export to a folder. This is the PFX file.
Step 10. Go to target server that you want to renew the certificate on, go to IIS > Server Certificates > IMPORT and select the same PFX file that you exported in Step 9. It will ask for the same password (e.g. YourCompanyName$$$). You should now see the same certificate with the same Friendly Name listed here.
Step 11. Import the Root and Intermediate certificate using the Certificates MMC (certmgr.msc) into the appropriate stores.
Note: If the instructions from Entrust tell you to delete an existing certificate (it is a generic cert and has an expiry of 2030), it is not necessary because the same cert you’re installing again has the same expiry (looks like “Entrust G2”). Then again, follow your instructions just to be on the safe side.
Step 12. Once you’ve imported the Root, Intermediate and PFX file – now you have to BIND the certificate. Go to IIS > select Site > Click on BINDINGS > and for any HTTPS binding that’s there, replace the certificate that is assigned to that Binding to the new one that’s listed in IIS Server Certificates. If an HTTPS binding entry does not exist, you may have to select the ADD button and select HTTPS (Protocol) and 443 (Port) and assign the new certificate. This is only required if the requester has asked for it, otherwise, you do not need to create a Binding.
Step 13. You’re finished!
Step 1: Create Your CSR in IIS 8/8.5 on Windows Server 2012
Taken from https://www.digicert.com/csr-ssl-installation/iis-8-and-8.5.htm
Use the instructions on this page to create your certificate signing request (CSR) and then to install your SSL certificate in IIS 8 on Windows Server 2012 or IIS 8.5 on Windows Server 2012 R2.
- From the Start screen, find Internet Information Services (IIS) Manager and open it.
- In the Connections pane, locate and click the server.
- In the server Home page (center pane) under the IIS section, double-click Server Certificates.
- In the Actions menu (right pane), click Create Certificate Request.
- In the Request Certificate wizard, on the Distinguished Name Properties page, provide the information specified below and then click Next.
| Common name | The fully-qualified domain name (FQDN) (e.g., www.example.com). |
| Organization | Your company’s legally registered name (e.g., YourCompany, Inc.). |
| Organizational unit | The name of your department within the organization. This entry will usually be listed as “IT”, “Web Security”, or is simply left blank. |
| City/locality | The city where your company is legally located. |
| State or Province | The state/province where your company is legally located. |
| Country/region | The country/region where your company is legally located. Use the drop-down list to select your country. |
On the Cryptographic Service Provider Properties page, provide the information specified below and then click Next.
| Cryptographic service provider: | In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider (unless you have a specific cryptographic provider). |
| Bit length: | In the drop-down list, select 2048 (unless you have a specific reason for using a larger bit length). |
On the File Name page, under Specify a file name for the certificate request, click the … button to specify a save location for your CSR.
Note: Remember the filename and save location of your CSR file. If you enter a filename without specifying a location, your CSR will be saved to C:\Windows\System32.
- When you are done, click Finish.
- Open the CSR file using a text editor (such as Notepad), then copy the text (including the —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—– tags) and paste it into your vendor portal which they will then use to generate a new certificate for you.
- After you receive your SSL certificate from the certificate authority/vendor, you can install it.
Step 2: Install and Configure Your SSL Certificate in IIS 8 or IIS 8.5 on Windows Server 2012
After your CA validates and issues your SSL certificate, you need to install it on the Windows 2012 server where the CSR was generated. Then, you need to configure the server to use it.
(Single Certificate) How to install your SSL certificate and configure the server to use it
- On the server where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer) that you received from DigiCert.
- From the Start screen, find Internet Information Services (IIS) Manager and open it.
- In the Connections pane, locate and click the server.
- In the server Home page (center pane) under the IIS section, double-click Server Certificates.
- In the Actions menu (right pane), click Complete Certificate Request.
- In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, provide the following information:
| File name containing the certificate authority’s response: | Click the … button to locate the .cer file you received from DigiCert (e.g., your_domain_com.cer). |
| Friendly name: | Type a friendly name for the certificate. This is not part of the certificate; instead, it is used to identify the certificate. Note: We recommend that you add the issuing CA (e.g., DigiCert) and the expiration date to the end of your friendly name; for example, yoursite-digicert-(expiration date). Doing this helps identify the issuer and expiration date for each certificate and also helps distinguish multiple certificates with the same domain name. |
| Select a certificate store for the new certificate: | In the drop-down list, select Personal. |
- Click OK to install the certificate.
- Now that you’ve successfully installed your SSL certificate, you need to configure your site to use it.
Assign Your SSL Certificate
- Now that you’ve successfully installed your SSL certificate, you need to configure your site to use it.
- In Internet Information Services (IIS) Manager, in the Connections pane, expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to secure using the SSL certificate.
- In the Actions menu (right pane), click Bindings.
- In the Site Bindings window, click Add.
- In the Add Site Binding window, do the following and then click OK.
| Type: | In the drop-down list, select https. |
| IP address: | In the drop-down list, select the IP address of the site or select All Unassigned. |
| Port: | Type 443. (SSL uses port 443 to secure traffic.) |
| SSL certificate: | In the drop-down list, select your new SSL certificate (e.g., yourdomain.com). |
Note: To enable your SSL certificate for use on other Windows servers, see PFX export instructions.
Your SSL certificate is now installed, and the website is configured to accept secure connections.
