Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
 
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Mac support 
 » Linux support 
 » Windows PC support 

Configuring IIS SSL

Before you begin

Before you generate your CSR, please take a look at the following sections of the SCS Facilities web certificate documentation for SCS-specific information about generating a CSR and installing the certificate:

If you are renewing an existing certificate: If you wish to renew an existing certificate, it is possible to do so without generating a new CSR. See the SCS Facilities IIS certificate renewal instructions for information on how to do this. Note: If you want your new certificate to have a different private key size ("bit length") than your current certificate, you will need to' generate a new CSR.

Generating a new CSR and installing a certificate

Microsoft's documentation provides detailed instructions on CSR generation and certificate installation.

Deprecated documentation

Note: The instructions below are for the Windows XP interface and an old version of IIS (5.1). They have been retained because some people may still find them useful. The interface and procedure for the version of Windows and IIS that you are using may be different.

Request an SSL/Webserver Certificate

  1. Start IIS, right-click "Default Web Site," and select "Properties" on the menu
  2. On the "Properties" window, click the "Directory Security" tab
  3. Click "Server Certificate" and follow the onscreen wizard
  4. Select "Prepare the request now, but send it later"
  5. For the certificate name, enter the machine's FQDN (fully-qualified DNS name) or the site's URL
  6. Select bit length "2048"
  7. For "Organization," enter Carnegie Mellon University
  8. For "Organizational Unit," enter SCS - <your Department> (e.g. ISRI, HCII, ETC, ...)
  9. For "Common Name," enter the machine's FQDN or the site URL
  10. Enter the country, state, and city information (check spelling). "Pennsylvania" must be spelled out in full
  11. Save the request file
  12. Request a certificate by forwarding your file to <certificates@cs.cmu.edu>
  13. Generate an MD5 checksum on the request file (search the Web on "MD5 checksum" to find a current tool)
  14. Have the checksum handy to verify machine and requester identity when an SCS Facilities staff member calls

Install your Certificates

When the issuance email arrives, it will contain two certificates: a "chained" certificate for the machine and a server certificate for the site.
  • Copy the chained certificate into a text editor, such as notepad, and save as chain.cer
  • Copy the webserver certificate into a text editor, such as notepad, and save with your site name as <yourdomain>.cer

Creating your Snap-in Management Console

Certificate snap-ins for the "Microsoft Management Console" (MMC) are not preconfigured. You (system administrator) must configure a console before you can specify functionality.

On your webserver machine, open the MMC "Certificates" snap-in as follows1:

  1. From your desktop, go to "Start" > "Run"
  2. Type mmc and click "OK" to bring up a console
  3. From the "File" menu, select "Add/Remove Snap-in"
  4. On the "Add/Remove Snap-in" window, click "Add"
  5. In the "Add Standalone Snap-in" window, select "Certificates" and click "Add"
  6. Select "Computer Account" > "Next" > "Finish"
  7. "Close" the "Add Standalone Snap-in" box and click "OK" in the "Add/Remove Snap-in"

Now install the chained certificate

MMC certificates window Expand the MMC "Certificates" entry and right-click "Intermediate Certification Authorities," as shown at right:
  1. Select "All Tasks" > "Import."
  2. Complete the Import wizard, identifying your chained certificate (chain.cer) when prompted for "Certificate file to import"
  3. Ensure that the chained certificate appears under "Intermediate Certification Authorities"

Finally, install your webserver certificate

Site properties window
  1. Start IIS and right-click "Default Web Site" and select "Properties" from the pulldown menu, as shown at right.
  2. When the "Properties" window appears, click on the "Directory Security" tab
  3. Click on "Server Certificate" and follow the onscreen wizard:
    1. Ensure that you select "Process the pending request and install the certificate." Click "Next"
    2. Specify the "yourdomain.cer" file when prompted to locate your webserver certificate. Click "Next."
      Website properties window
    3. Review the summary screen and ensure that you are processing the correct certificate. Click "Next"
    4. Click "Next" on the confirmation screen.
    5. Right-click "Properties" for your website and check the "SSL port" box, as shown at right. Confirm that you have assigned "443" as the https port for your site.

Note: You must restart your physical machine to complete the install.

Backing your key/pair file

  1. Open the MMC as in "Creating your Snap-in," above
  2. In the left panel, select the Console Root\Certificates(Local Computer)\Personal\Certificates folder
  3. Right-click on the certificate to export.
  4. Select "All Tasks" > "Export"
  5. On the "Welcome to the Certificate Manager Import Wizard" window, click "Next"
  6. Select "Yes, export the private key" and click "Next"
  7. Make sure the "Personal Information Exchange - PKCS #12(.pfx)" box is selected
    Warning: Make sure that the "Delete the private key if the export is successful" is NOT checked.
  8. Check the "Enable strong protection requires IE5.0, NT4.0 SP4 or above" box and select "Next"
  9. Check the "Include all certificates in the chain" box
  10. Enter and confirm your export password
    Note: The password field can be left blank, but we recommend using a good password for security.

    Warning: If you lose the password, you must request a new certificate.

  11. Save the file to a disk or other stable device. Choose a medium from which you can recover, should your system need rebuiding, and save the device in a secure location. If you have problems or questions, contact the SCS HelpDesk, <help+@cs.cmu.edu> or x8-4231.