Use IIS 10 to create a CSR and install your new SSL certificate on your Windows server 2016

If you are looking for a simpler way to renew your SSL Certificates, see?Microsoft IIS 10: Renew Your Expiring SSL Certificate (ÃÛÌÒTV Certificate Utility).

These instructions explain how to use IIS 10 to create your CSR, use your ÃÛÌÒTV account to renew your SSL certificate, and then use IIS 10 to install your certificate and to configure your Windows Server 2016 to use the new certificate.

Process for Renewing Your SSL Certificate:

  1. Use IIS 10 to create your CSR.

    How to Create Your CSR with IIS 10

  2. Renew your SSL certificate from your ÃÛÌÒTV account.

    How to Renew Your SSL Certificate

  3. Use IIS 10 to install your new SSL certificate on your Windows server 2016 and then configure the server to use it.

    How to Use IIS 10 to Install and Assign your New SSL Certificate

 

I. How to Create Your CSR with IIS 10

Best practices are to generate a new certificate signing request (CSR) when renewing your SSL certificate.

  1. On the Windows server 2016 with the expiring certificate, open Internet Information Services (IIS) Manager.

    In the?Windows?start menu, type?Internet Information Services (IIS) Manager?and open it.

  2. In Internet Information Services (IIS) Manager, in the?Connections?menu tree (left pane), locate and click the server name.

    IIS 10 - IIS 10 Manager

  3. On the server name?Home?page (center pane), in the?IIS?section, double-click?Server Certificates.

  4. On the?Server Certificates?page (center pane), in the?Actions?menu (right pane), click the?Create Certificate Request¡­?link.

    IIS 10 - IIS 10 Manager

  5. In the?Request Certificate?wizard, on the?Distinguished Name Properties?page, provide the information specified below and then click?Next:

    Common name: Type the fully-qualified domain name (FQDN) (e.g.,?www.example.com).
     
    Organization: Type your company¡¯s legally registered name (e.g.,?YourCompany, Inc.).
     
    Organizational unit: The name of your department within the organization. Frequently this entry will be listed as
    IT, Web Security, or is simply left blank.
     
    City/locality: Type the city where your company is legally located.
     
    State/province: Type the state/province where your company is legally located.
     
    Country: In the drop-down list, select the country where your company is legally located.

    IIS 10 - IIS 10 Manager

  6. On the?Cryptographic Service Provider Properties?page, provide the information below and then click?Next.

    Cryptographic In the drop-down list, select?Microsoft RSA SChannel Cryptographic Provider,
    service provider: unless you have a specific cryptographic provider.
     
    Bit length: In the drop-down list select?2048, unless you have a specific reason for opting for larger bit length.

    IIS 10 - IIS 10 Manager

  7. On the?File Name?page, under?Specify a file name for the certificate request, click the?¡­?box to browse to a location where you want to save your CSR.

    Note: Remember the filename that you choose and the location to which you save your csr.txt file. If you just enter a filename without browsing to a location, your CSR will end up in C:\Windows\System32.

    IIS 10 - IIS 10 Manager

  8. When you are done, click Finish.

 

II. How to Renew Your SSL Certificate

Renew your SSL certificate from inside your ÃÛÌÒTV CertCentral account.

Are you new to the ÃÛÌÒTV team? You can "replace" your certificate with a ÃÛÌÒTV certificate. Order your new certificate here - Purchase Your ÃÛÌÒTV Certificate.

  1. Log into your?CertCentral account.

  2. In CertCentral, in the left main menu, click Certificates > Expiring Certificates.

  3. On the Expiring Certificates page, next to the certificate you want to renew, click Renew Now.

    A certificate doesn't appear on the Expiring Certificates page until 90 days before it expires.

  4. Follow the instructions provided inside your account to renew your SSL certificate.

  5. Add your CSR

    When renewing the certificate, you'll need to include a CSR. On the "Renewal" page, under Certificate Settings, upload the CSR file you saved to the server.

    You can also use a text editor (such as Notepad) to open the file. Then, copy the text, including the?-----BEGIN NEW CERTIFICATE REQUEST-----?and?-----END NEW CERTIFICATE REQUEST-----?tags, and paste it in the Add Your CSR box.

  6. After you place the order to renew your certificate, ÃÛÌÒTV verifies your information.

  7. If we need any additional information, we will promptly contact you by phone or email. If no additional information is required, we will most likely issue your certificate within an hour.

 

III. How to Use IIS 10 to Install and Assign your New SSL Certificate

    Install Your SSL Certificate

  1. On the Windows server 2016 where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer).

  2. Open Internet Information Services (IIS) Manager.

    In the?Windows?start menu, type?Internet Information Services (IIS) Manager?and open it.

  3. In Internet Information Services (IIS) Manager, in the?Connections?menu tree (left pane), locate and click the server name.

    IIS 10 - IIS 10 Manager

  4. On the server name?Home?page (center pane), in the?IISsection, double-click?Server Certificates.

  5. On the?Server Certificates?page (center pane), in the?Actions?menu (right pane), click the?Complete Certificate Request¡­?link.

    IIS 10 - IIS 10 Manager

  6. In the?Complete Certificate Request?wizard, on the?Specify Certificate Authority Responsef?page, do the following and then click?OK:

    File name containing the Click the?¡­?box and browse to and select the .cer file (e.g.,?your_domain_com.cer) that ÃÛÌÒTV sent to you.
    certificate authority's
    response:
     
    Friendly name: Type a friendly name for the certificate. The friendly name is not part of the certificate;
    instead, it is used to identify the certificate.
    We recommend that you add ÃÛÌÒTV and the expiration date to the end of your friendly name, for example:?yoursite-digicert-(expiration date).
    This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
     
    Select a certificate store In the drop-down list, select?Web Hosting.
    for the new certificate:

    IIS 10 - IIS 10 Manager

  7. Now that you've successfully installed your SSL certificate, you need to assign the certificate to the appropriate site.

  8. Assign the SSL Certificate

    In?Internet Information Services (IIS) Manager, in the?Connections?menu tree (left pane), expand the name of the server on which the certificate was installed. Then expand?Sites?and click the site you want to use the SSL certificate to secure.

    IIS 10 - IIS 10 Manager

  9. On the website?Home?page, in the?Actions?menu (right pane), under?Edit Site, click the?µþ¾±²Ô»å¾±²Ô²µ²õ¡­?link.

  10. In the?Site Bindings?window, select binding for?https?and then click?Edit.

    IIS 10 - IIS 10 Manager

  11. In the?Edit Site Binding?window, in the?SSL certificate?drop-down list, select your newly installed SSL Certificate by its friendly name and then, click?OK.

    IIS 10 - IIS 10 Manager

  12. Your new SSL Certificate is now installed to the website.

Test Your Installation

If your website is publicly accessible, you can use our?ÃÛÌÒTV® SSL Installation Diagnostics Tool?to verify that the installation is correct. On the?ÃÛÌÒTV®SSL Installation Diagnostics Tool?page, enter the DNS name of the site (e.g.,?www.yourdomain.com) that you are securing to test your SSL certificate.

Troubleshooting

After you've installed the certificate on to the Windows server, if you run into certificate errors, try repairing your certificate trust errors using?ÃÛÌÒTV® Certificate Utility for Windows. If this does not fix the errors, contact support.