IIS 10: Creating a Certificate Signing Request and Installing SSL Certificates
This chapter contains instructions on how to to use IIS 10 (Internet Information Services Manager) to create your CSR (Certificate Signing Request) and then install your SSL certificate on your Windows Server 2016. It is divided into the following sections:
- Creating a Certificate Signing Request with IIS 10 on Windows Server 2016
- Installing and Configuring a SSL Certificate on Windows Server 2016
- Installing Additional SSL Certificates with SNI
Tip
If you are looking for an easier way to create an CA signing request and to install your SSL certificates, we would recommend using DigiCert® Certificate Utility for Windows. You can use the DigiCert® Certificate Utility to create your certificate signing request and install your SSL certificate.
For more information, see: DigiCert Utility | Windows Server 2016 | Create a CSR & Install SSL Certificate.
General information on SSL certificates can be found here: What is a SSL Certificate?
Please note that clicking on these web addresses will take you away from TRASER DOCS. TRASER Software GmbH is not responsible for the content on these websites.
Creating a Certificate Signing Request with IIS 10 on Windows Server 2016
This section describes how to create your certificate signing request using IIS 10. To do so, please proceed as follows:
- In the Windows start menu, enter Internet Information Services (IIS) Manager and open it.
- In the Internet Information Services (IIS) Manager, locate the server name in the menu structure under Connections (left) and click on it.
- On the server name home page (center pane) in the IIS Manager, double-click Server Certificates.
- On the Server Certificates page in the Actions menu (right pane), click on Complete Certificate Request....
- In the Request Certificate Wizard on the Distinguished Name Properties page, specify the following information, then click Next:
| Information | Description |
|---|---|
| Common Name: | Enter the fully qualified domain name (FQDN) (for example, www.example.com). |
| Organization: | Enter the legally registered name of your company (e.g., Example GmbH). |
| Organisational Unit | The name of the department within the organization. This entry is often listed as “IT” or “Web security” or simply left blank. |
| City | Enter the city in which your company is legally located. |
| State/Province: | Enter the state/province in which your company is legally located. |
| Country/Region: | Select the country in which your company is legally located from the dropdown list. |
- On the Cryptographic Service Provider Properties page, provide the following information, then click Next.
| Information | Description |
|---|---|
| Cryptography Service Provider: | Select Microsoft RSA SChannel Cryptographic Provider from the dropdown list, unless you prefer another cryptographic service provider. |
| Bit length: | Select 2048 from the drop-down list, unless you have a specific reason for choosing a larger bit length. |
- On the File Name page under Specify a File Name for Certificate Request, click on the ... field to browse to a location where you want to save your CSR.
Note
Write down the file name and the location where you have saved the csr.txt file. If you enter a file name without specifying a location where the file shall be saved, your certificate signature request will be saved under C:\Windows\System32.
- Once you are done, click on Finish.
- Then open the file with a text editor (e.g., Notepad).
- Copy the text including the tags -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- and paste it to the DigiCert form.
- To order your SSL certificate, click on the following link: TLS/SSL Certificates. Please note that clicking on these web addresses will take you away from TRASER DOCS. TRASER Software GmbH is not responsible for the content on these websites.
You have successfully ordered a SSL certificate. Once you have received your SSL certificate from DigiCert, you can install it and assign it to a website.
Installing and Configuring a SSL Certificate on Windows Server 2016
After your SSL certificate has been validated and issued, you have to install it on the Windows Server 2016 where the certificate signing request was generated. Then, you have to set up the server. To do so, please proceed as follows:
- On the server where you created the CSR, save the .cer file for the SSL certificate (e.g., your_Domain_com.cer) that DigiCert sent to you.
- In the Windows start menu, enter Internet Information Services (IIS) Manager and open it.
- In the Internet Information Services (IIS) Manager in the Connections menu tree (left pane), find the server name and click on it.
- On the server name home page (center pane) in the IIS Manager, double-click Server Certificates.
- On the Server Certificates page in the Actions menu (right pane) click on Complete Certificate Request....
- In the Complete Certificate Request wizard, enter the following information on the Specify Certificate Authority Response page, then click OK.
| Information | Description |
|---|---|
| File name containing the certificate authority's response: | Click on the ... field and select the .cer file (e.g., Your_Domain_com.cer) that DigiCert sent to you. |
| Display Name: | Enter a display name for the certificate. The display name is not part of the certificate, the display name will be used for identifying the certificate. We recommend to add DigiCert and the expiration date at the end of the display name, for example: yourpage-digicert-(expiration date). These information will help you with identifying the issuer and the expiration date of every certificate. They will also help you with distinguishing between different certificates with the same domain. |
| Select a certificate store for the new certificate: | Select Web Hosting from the dropdown list. |
- Click OK to confirm your input.
- In the menu tree Connections (left) under Internet Internet Information Services (IIS) Manager, expand the name of the server on which the certificate was installed. Expand Sites and click on the website that you want to secure using the SSL certificate.
- On the Default Web Site Home page in the Actions menu (right pane) under Edit Site, click on Bindings....
- In the Site Bindings window, click on Add.
- Enter the following information in the Add Site Bindings window:
| Information | Description |
|---|---|
| Type: | Select https from the dropdown list. |
| IP Address: | From the dropdown list, select the IP address of the website or select All Unassigned. |
| Port: | Enter 443 in this field. The port through which traffic is protected by SSL is 443. |
| SSL certificate: | Select your new SSL certificate from the dropdown list (e.g., yourdomain.com). |
- Click OK to confirm your input.
You have successfully installed your SSL certificate and set up the website to accept secure connections.
Installing Additional SSL Certificates with SNI
If you want to operate multiple websites on the same server, you need a separate SSL certificate for each domain. In addition, your server must support SNI (Server Name Indication) in order to manage multiple certificates via the same host or IP address. Please proceed as follows for each additional SSL certificate you want to install and assign:
- On the server where you created the CSR, save the .cer file for the SSL certificate (e.g., your_domain_com.cer) that DigiCert sent to you.
- In the Windows start menu, enter Internet Information Services (IIS) Manager and open it.
- In the Internet Information Services (IIS) Manager in the Connections menu tree, locate the server name and click on it.
- On the server name home page (center pane) in the IIS Manager, double-click Server Certificates.
- On the Server Certificates page in the Actions menu (right pane) click on Complete Certificate Request....
- In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, enter the following information, then click OK.
| Information | Description |
|---|---|
| File name containing the certificate authority's response: | Click on the ... field and select the .cer file (e.g., Your_Domain_com.cer) that DigiCert sent to you. |
| Display Name: | Enter a display name for the certificate. The display name is not part of the certificate, but will be used to identify the certificate. We recommend to add DigiCert and the expiration date at the end of the display name, for example: yourpage-digicert-(expiration date). This information will help you with identifying the issuer and the expiration date of every certificate. It will also help you with distinguishing between different certificates with the same domain. |
| Select a certificate store for the new certificate: | Select Web Hosting from the dropdown list. |
- Now that you have successfully installed your SSL certificate, you need to assign the certificate to the appropriate site.
- In the menu tree Connections (left) under Internet Internet Information Services (IIS) Manager, expand the name of the server on which the certificate was installed. Expand Sites and click on the website that you want to secure using the SSL certificate.
- On the Default Web Site Home page in the Actions menu (right pane) under Edit Site, click on Bindings....
- In the Site Bindings window, click on Add.
- Enter the following information in the Add Site Bindings window, then click OK:
| Information | Description |
|---|---|
| Type: | Select https from the dropdown list. |
| IP Address: | From the dropdown list, select the IP address of the website or select All Unassigned. |
| Port: | Enter 443 in this field. The port through which traffic is protected by SSL is 443. |
| Host Name: | Enter the host name that you want to secure. |
| Require Server Name Indication: | After entering the host name, select this field. This is required for all additional certificates/sites after installing the first certificate and saving the main site. |
| SSL Certificate: | Select your new SSL certificate from the dropdown list (e.g., yourdomain2.com). |
You have successfully installed another SSL certificate and set up the website to accept secure connections.