Use IIS 10 to create a CSR and install your new SSL certificate on your Windows server 2016
If you are looking for a simpler way to renew your SSL Certificates, see?Microsoft IIS 10: Renew Your Expiring SSL Certificate (ÃÛÌÒTV Certificate Utility).
These instructions explain how to use IIS 10 to create your CSR, use your ÃÛÌÒTV account to renew your SSL certificate, and then use IIS 10 to install your certificate and to configure your Windows Server 2016 to use the new certificate.
Process for Renewing Your SSL Certificate:
-
Use IIS 10 to create your CSR.
-
Renew your SSL certificate from your ÃÛÌÒTV account.
-
Use IIS 10 to install your new SSL certificate on your Windows server 2016 and then configure the server to use it.
How to Use IIS 10 to Install and Assign your New SSL Certificate
I. How to Create Your CSR with IIS 10
Best practices are to generate a new certificate signing request (CSR) when renewing your SSL certificate.
-
On the Windows server 2016 with the expiring certificate, open Internet Information Services (IIS) Manager.
In the?Windows?start menu, type?Internet Information Services (IIS) Manager?and open it.
-
In Internet Information Services (IIS) Manager, in the?Connections?menu tree (left pane), locate and click the server name.
-
On the server name?Home?page (center pane), in the?IIS?section, double-click?Server Certificates.
-
On the?Server Certificates?page (center pane), in the?Actions?menu (right pane), click the?Create Certificate Request¡?link.
-
In the?Request Certificate?wizard, on the?Distinguished Name Properties?page, provide the information specified below and then click?Next:
Common name: Type the fully-qualified domain name (FQDN) (e.g.,?www.example.com). Organization: Type your company¡¯s legally registered name (e.g.,?YourCompany, Inc.). Organizational unit: The name of your department within the organization. Frequently this entry will be listed as IT, Web Security, or is simply left blank. City/locality: Type the city where your company is legally located. State/province: Type the state/province where your company is legally located. Country: In the drop-down list, select the country where your company is legally located. -
On the?Cryptographic Service Provider Properties?page, provide the information below and then click?Next.
Cryptographic In the drop-down list, select?Microsoft RSA SChannel Cryptographic Provider, service provider: unless you have a specific cryptographic provider. Bit length: In the drop-down list select?2048, unless you have a specific reason for opting for larger bit length. -
On the?File Name?page, under?Specify a file name for the certificate request, click the?¡?box to browse to a location where you want to save your CSR.
Note: Remember the filename that you choose and the location to which you save your csr.txt file. If you just enter a filename without browsing to a location, your CSR will end up in C:\Windows\System32.
-
When you are done, click Finish.
II. How to Renew Your SSL Certificate
Renew your SSL certificate from inside your ÃÛÌÒTV CertCentral account.
Are you new to the ÃÛÌÒTV team? You can "replace" your certificate with a ÃÛÌÒTV certificate. Order your new certificate here - Purchase Your ÃÛÌÒTV Certificate.
-
Log into your?CertCentral account.
-
In CertCentral, in the left main menu, click Certificates > Expiring Certificates.
-
On the Expiring Certificates page, next to the certificate you want to renew, click Renew Now.
A certificate doesn't appear on the Expiring Certificates page until 90 days before it expires.
-
Follow the instructions provided inside your account to renew your SSL certificate.
-
Add your CSR
When renewing the certificate, you'll need to include a CSR. On the "Renewal" page, under Certificate Settings, upload the CSR file you saved to the server.
You can also use a text editor (such as Notepad) to open the file. Then, copy the text, including the?-----BEGIN NEW CERTIFICATE REQUEST-----?and?-----END NEW CERTIFICATE REQUEST-----?tags, and paste it in the Add Your CSR box.
-
After you place the order to renew your certificate, ÃÛÌÒTV verifies your information.
-
If we need any additional information, we will promptly contact you by phone or email. If no additional information is required, we will most likely issue your certificate within an hour.
III. How to Use IIS 10 to Install and Assign your New SSL Certificate
-
On the Windows server 2016 where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer).
-
Open Internet Information Services (IIS) Manager.
In the?Windows?start menu, type?Internet Information Services (IIS) Manager?and open it.
-
In Internet Information Services (IIS) Manager, in the?Connections?menu tree (left pane), locate and click the server name.
-
On the server name?Home?page (center pane), in the?IISsection, double-click?Server Certificates.
-
On the?Server Certificates?page (center pane), in the?Actions?menu (right pane), click the?Complete Certificate Request¡?link.
-
In the?Complete Certificate Request?wizard, on the?Specify Certificate Authority Responsef?page, do the following and then click?OK:
File name containing the Click the?¡?box and browse to and select the .cer file (e.g.,?your_domain_com.cer) that ÃÛÌÒTV sent to you. certificate authority's response: Friendly name: Type a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate. We recommend that you add ÃÛÌÒTV and the expiration date to the end of your friendly name, for example:?yoursite-digicert-(expiration date). This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name. Select a certificate store In the drop-down list, select?Web Hosting. for the new certificate: -
Now that you've successfully installed your SSL certificate, you need to assign the certificate to the appropriate site.
-
Assign the SSL Certificate
In?Internet Information Services (IIS) Manager, in the?Connections?menu tree (left pane), expand the name of the server on which the certificate was installed. Then expand?Sites?and click the site you want to use the SSL certificate to secure.
-
On the website?Home?page, in the?Actions?menu (right pane), under?Edit Site, click the?µþ¾±²Ô»å¾±²Ô²µ²õ¡?link.
-
In the?Site Bindings?window, select binding for?https?and then click?Edit.
-
In the?Edit Site Binding?window, in the?SSL certificate?drop-down list, select your newly installed SSL Certificate by its friendly name and then, click?OK.
-
Your new SSL Certificate is now installed to the website.
Install Your SSL Certificate
Test Your Installation
If your website is publicly accessible, you can use our?ÃÛÌÒTV® SSL Installation Diagnostics Tool?to verify that the installation is correct. On the?ÃÛÌÒTV®SSL Installation Diagnostics Tool?page, enter the DNS name of the site (e.g.,?www.yourdomain.com) that you are securing to test your SSL certificate.
Troubleshooting
After you've installed the certificate on to the Windows server, if you run into certificate errors, try repairing your certificate trust errors using?ÃÛÌÒTV® Certificate Utility for Windows. If this does not fix the errors, contact support.