Configuring IIS SSL
Before you begin
Before you generate your CSR, please take a look at the following sections of the SCS Facilities web certificate documentation for SCS-specific information about generating a CSR and installing the certificate:
- Overview of how to request a certificate.
- General guidelines. Please follow the instructions in that section when selecting your private key size ("bit length") and your Organizational Unit (OU).
- Intermediate certificates. How to get the intermediate certificates for your server.
If you are renewing an existing certificate: If you wish to renew an existing certificate, it is possible to do so without generating a new CSR. See the SCS Facilities IIS certificate renewal instructions for information on how to do this. Note: If you want your new certificate to have a different private key size ("bit length") than your current certificate, you will need to' generate a new CSR.
Generating a new CSR and installing a certificate
Microsoft's documentation provides detailed instructions on CSR generation and certificate installation.
Note: The instructions below are for the Windows XP interface and an old version of IIS (5.1). They have been retained because some people may still find them useful. The interface and procedure for the version of Windows and IIS that you are using may be different.
Request an SSL/Webserver Certificate
- Start IIS, right-click "Default Web Site," and select "Properties" on the menu
- On the "Properties" window, click the "Directory Security" tab
- Click "Server Certificate" and follow the onscreen wizard
- Select "Prepare the request now, but send it later"
- For the certificate name, enter the machine's FQDN (fully-qualified DNS name) or the site's URL
- Select bit length "2048"
- For "Organization," enter Carnegie Mellon University
- For "Organizational Unit," enter SCS - <your Department> (e.g. ISRI, HCII, ETC, ...)
- For "Common Name," enter the machine's FQDN or the site URL
- Enter the country, state, and city information (check spelling). "Pennsylvania" must be spelled out in full
- Save the request file
- Request a certificate by forwarding your file to <firstname.lastname@example.org>
- Generate an MD5 checksum on the request file (search the Web on "MD5 checksum" to find a current tool)
- Have the checksum handy to verify machine and requester identity when an SCS Facilities staff member calls
Install your CertificatesWhen the issuance email arrives, it will contain two certificates: a "chained" certificate for the machine and a server certificate for the site.
- Copy the chained certificate into a text editor, such as notepad, and save as chain.cer
- Copy the webserver certificate into a text editor, such as notepad, and save with your site name as <yourdomain>.cer
Creating your Snap-in Management ConsoleCertificate snap-ins for the "Microsoft Management Console" (MMC) are not preconfigured. You (system administrator) must configure a console before you can specify functionality.
On your webserver machine, open the MMC "Certificates" snap-in as follows1:
- From your desktop, go to "Start" > "Run"
- Type mmc and click "OK" to bring up a console
- From the "File" menu, select "Add/Remove Snap-in"
- On the "Add/Remove Snap-in" window, click "Add"
- In the "Add Standalone Snap-in" window, select "Certificates" and click "Add"
- Select "Computer Account" > "Next" > "Finish"
- "Close" the "Add Standalone Snap-in" box and click "OK" in the "Add/Remove Snap-in"
Now install the chained certificateExpand the MMC "Certificates" entry and right-click "Intermediate Certification Authorities," as shown at right:
- Select "All Tasks" > "Import."
- Complete the Import wizard, identifying your chained certificate (chain.cer) when prompted for "Certificate file to import"
- Ensure that the chained certificate appears under "Intermediate Certification Authorities"
Finally, install your webserver certificate
- Start IIS and right-click "Default Web Site" and select "Properties" from the pulldown menu, as shown at right.
- When the "Properties" window appears, click on the "Directory Security" tab
- Click on "Server Certificate" and follow the onscreen wizard:
- Ensure that you select "Process the pending request and install the certificate." Click "Next"
- Specify the "yourdomain.cer" file when prompted to locate your webserver certificate. Click "Next."
- Review the summary screen and ensure that you are processing the correct certificate. Click "Next"
- Click "Next" on the confirmation screen.
- Right-click "Properties" for your website and check the "SSL port" box, as shown at right. Confirm that you have assigned "443" as the https port for your site.
Backing your key/pair file
- Open the MMC as in "Creating your Snap-in," above
- In the left panel, select the Console Root\Certificates(Local Computer)\Personal\Certificates folder
- Right-click on the certificate to export.
- Select "All Tasks" > "Export"
- On the "Welcome to the Certificate Manager Import Wizard" window, click "Next"
- Select "Yes, export the private key" and click "Next"
- Make sure the "Personal Information Exchange - PKCS #12(.pfx)" box is selectedWarning: Make sure that the "Delete the private key if the export is successful" is NOT checked.
- Check the "Enable strong protection requires IE5.0, NT4.0 SP4 or above" box and select "Next"
- Check the "Include all certificates in the chain" box
- Enter and confirm your export passwordNote: The password field can be left blank, but we recommend using a good password for security.
Warning: If you lose the password, you must request a new certificate.
- Save the file to a disk or other stable device. Choose a medium from which you can recover, should your system need rebuiding, and save the device in a secure location. If you have problems or questions, contact the SCS HelpDesk, <email@example.com> or x8-4231.