IIS 10: Create CA Signing Request and Install SSL Certificate
Create Certificate Signing Request and install your SSL Certificate on your Windows Server 2016
Follow the instructions on this page to use IIS 10 (Internet Information Services Manager) to create your CSR (Certificate Signing Request) and then install your SSL Certificate on your Windows Server 2016.
- How to create a certificate signing request, you can find out here: This is how you create your certificate signing request on Windows Server 2016
- How to install a SSL certificate you can find out here: This is how to install and configure your SSL certificate on Windows Server 2016
If you are looking for an easier way to create an CA signing request and to install your SSL certificates, we would recommend using DigiCert® Certificate Utility for Windows. You can use DigiCert® Certificate Utility to create your signing request and to install your SSL certificates. You will find more information here: Windows Server 2016: Create CSR & Install SSL Certificate with DigiCert Utility (only available in English).
This is how you create your certificate signing request on Windows Server 2016
Create your certificate signing request with IIS 10
- In the Windows start menu, enter Internet Information Services (IIS) Manager and open it.
- In the Internet Information Services (IIS) Manager, locate the server name in the menu structure under Connections (left) and click on it.
- On the server name Home page (centre pane) in the IIS Manager, double-click Server Certificates.
- On the page Server Certificates in the Actions menu on the right side, click the option Create Certificate Request....
- In the Request Certificate Wizard, on the Distinguished Name Properties page, specify the following information, and then click Next:
| Information | Description |
|---|---|
| Common Name: | Enter the fully qualified domain name (FQDN) (for example, www.example.com). |
| Organization: | Enter the legally registered name of your company (e.g. Example GmbH). |
| Organisational Unit | The name of the department within the organization. You can enter “IT” or “Web Security” here, however this field is also often left empty. |
| City | Enter the city in which your company is located. |
| State/Province: | Enter the state/province in which your company is located. |
| Country/Region: | From the drop-down list, select the country in which your company is legally located. |
- On the Cryptographic Service Provider Properties page, provide the following information, and then click Next.
| Information | Description |
|---|---|
| Cryptography Service Provider: | From the drop-down list, select Microsoft RSA SChannel Cryptographic Provider unless you prefer another cryptographic service provider. |
| Bit length: | From the drop-down list, select 2048 unless you have to choose a larger bit length. |
- On the page File Name, under Specify a File Name for Certificate Request click the ... field to browse to a location where you want to save your CSR.
Note
Write down the file name and the place where you have saved the csr.txt file. If you enter a file name without defining a location where the file should be saved, your certificate signature request will be saved under C:\Windows\System32.
- When you are done, click Finish.
- Then, use a text editor (e. g. Notepad) to open the file. Copy the text (including the tags) -----BEGIN NEW CERTIFICATE REQUEST----- und -----END NEW CERTIFICATE REQUEST----- and paste it to the DigiCert form.
| Now you are ready to request your SSL certificate. | Request now Learn More |
- Once you have received your SSL certificate from DigiCert, you can install it.
How to install and configure your SSL certificate on Windows Server 2016
If you have not created your SSL certificate using the DigiCert certificate program before, please read Windows Server 2016: Create CSR & Install SSL Certificate with DigiCert Utility.
After we have validated and issued your SSL certificate, you have to install it on the Windows Server 2016 where the Certificate signing request was generated. Then, you have to set up the server.
- How to install and configure your SSL certificate
- How to install and configure your SSL certificates using SNI
How to install and configure your SSL certificate
Install SSL certificate
- On the server where you created the CSR, save the .cer file for the SSL certificate (for example, yourDomaincom.cer) that DigiCert sent to you.
- In the Windows start menu, enter Internet Information Services (IIS) Manager and open it.
- In the Internet Information Services (IIS) Manager in the Connections menu tree (left pane), find the server name and click on it.
- On the server name Home page (centre pane) in the IIS Manager, double-click Server Certificates.
- On the Server Certificates page, in the Actions menu (right pane), click the Complete Certificate Request... link.
- In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, enter the following information, and then click OK.
| Information | Description |
|---|---|
| File name containing the certificate authority's response: | Click on the ... field and select the .cer file (e.g. Your Domaincom.cer) that DigiCert sent to you. |
| Display Name: | Enter a display name for the certificate. The display name is not part of the certificate, the display name will be used for identifying the certificate. We would recommend to enter DigiCert and the expiration date at the end of the display name, for example: yourpage-digicert-expirationdate. These information will help you with identifying the issuer and the expiration date of every certificate. They will also help you with distinguishing between different certificates with the same domain. |
| Select a certificate store for the new certificate: | From the drop-down list, select Web Hosting. |
- Now that you have successfully installed your SSL certificate, you need to assign the certificate to the appropriate site.
Assign SSL Certificate
- In the menu tree Connections (left) under Internet Internet Information Services (IIS) Manager, expand the name of the server on which the certificate was installed. Expand Sites and click on the site that you want to save using the SSL certificate.
- On the page Default Web Site Home, in the Actions menu (right pane), under the Edit Site, click Bindings....
- In the Site Bindings window, click Add.
- Enter the following information in the Add Site Bindings window, and then click OK:
| Information | Description |
|---|---|
| Type: | From the drop-down list, select https. |
| IP Address: | From the drop-down list, select the IP address of the site or select All Unassigned. |
| Port: | Use this field to enter 443. The port which protects the traffic is 443. |
| SSL certificate: | From the drop-down list, select your new SSL certificate (for example, yourdomain.com). |
- Your SSL certificate is now installed, and the website has been set up to accept secure connections.
How to install and configure your SSL certificates using SNI
This instruction explains how to install multiple SSL certificates and how to assign them via SNI. The process is divided into two parts:
- Installing and Configuring Your First SSL Certificate
- Installing and Configuring All Additional SSL Certificates
Install First SSL Certificate
Note
Please note that this process only needs to be done once for the first SSL certificate.
-
On the server where you created the CSR, save the .cer file for the SSL certificate (for example, yourDomaincom.cer) that DigiCert sent to you.
-
In the Windows start menu, type Internet Information Services (IIS) Manager and open the manager.
-
In the Internet Information Services (IIS) Manager in the Connections menu tree (left pane), locate and click on the server name.
- On the home page, in the IIS section, double-click Server Certificates.
- On the Server Certificates page, in the Actions menu, click the Complete Certificate Request option.
- In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, enter the following information, and then click on OK.
| Information | Description |
|---|---|
| File name containing the certificate authority's response: | Click on the ... field and select the .cer file (e.g. Your Domaincom.cer) that DigiCert sent to you. |
| Display Name: | Enter a display name for the certificate. The display name is not part of the certificate, the display name will be used for identifying the certificate. We would recommend to enter DigiCert and the expiration date at the end of the display name, for example: yourpage-digicert-expirationdate. These information will help you with identifying the issuer and the expiration date of every certificate. They will also help you with distinguishing between different certificates with the same domain. |
| Select a certificate store for the new certificate: | From the drop-down list, select Web Hosting. |
- Now that you have successfully installed your SSL certificate, you need to assign the certificate to the appropriate site.
- In the menu tree Connections (left) under Internet Internet Information Services (IIS) Manager, expand the name of the server on which the certificate was installed. Expand Sites and click on the site that you want to save using the SSL certificate.
- On the page Default Web Site Home, in the Actions menu (right pane), under the Edit Site, click on Bindings.
- In the Site Bindings window, click Add.
- Enter the following information in the Add Site Bindings window, and then click OK:
| Information | Description |
|---|---|
| Type: | From the drop-down list, select https. |
| IP Address: | From the drop-down list, select the IP address of the site or select All Unassigned. |
| Port: | Use this field to enter 443. The port which protects the traffic is 443. |
| SSL certificate: | From the drop-down list, select your new SSL certificate (for example, yourdomain.com). |
- Your SSL certificate is now installed, and the website has been set up to accept secure connections.
Install Additional SSL Certificates
To install and assign each additional SSL certificate, repeat the steps described below.
- On the server where you created the CSR, save the .cer file for the SSL certificate (for example, yourDomain*com.cer) that DigiCert sent to you.
- In the Windows start menu, type Internet Information Services (IIS) and open the manager.
- In the Internet Information Services (IIS) Manager, in the Connections menu tree, locate and click on the server name.
- On the server name Home page (centre pane) in the IIS Manager, double-click Server Certificates.
- On the Server Certificates page, in the Actions menu (right pane), click the Complete Certificate Request... link.
- In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, enter the following information, and then click OK.
| Information | Description |
|---|---|
| File name containing the certificate authority's response: | Click on the ... field and select the .cer file (e.g. Your Domaincom.cer) that DigiCert sent to you. |
| Display Name: | Enter a display name for the certificate. The display name is not part of the certificate, the display name will be used for identifying the certificate. We would recommend to enter DigiCert and the expiration date at the end of the display name, for example: yourpage-digicert-expirationdate. These information will help you with identifying the issuer and the expiration date of every certificate. They will also help you with distinguishing between different certificates with the same domain. |
| Select a certificate store for the new certificate: | From the drop-down list, select Web Hosting. |
- Now that you have successfully installed your SSL certificate, you need to assign the certificate to the appropriate site.
- In the menu tree Connections (left) under Internet Internet Information Services (IIS) Manager, expand the name of the server on which the certificate was installed. Expand Sites and click on the site that you want to save using the SSL certificate.
- On the page Default Web Site Home, in the Actions menu (right pane), under Edit Site, click Bindings....
- In the Site Bindings window, click Add.
- Enter the following information in the Add Site Bindings window, and then click OK:
| Information | Description |
|---|---|
| Type: | From the drop-down list, select https. |
| IP Address: | From the drop-down list, select the IP address of the site or select All Unassigned. |
| Port: | Use this field to enter 443. The port which protects the traffic is 443. |
| Host Name: | Type the host name that you want to secure. |
| Require Server Name Indication: | After entering the host name, select this field. After installing the first certificate and saving the main site, this is required for all additional certificates/sites. |
| SSL certificate: | From the drop-down list, select your new SSL certificate (for example, yourdomain2.com). |
- You have successfully installed another SSL certificate and set up the website to accept secure connections.