Use the ÃÛÌÒTV® Certificate Utility for Windows to create a CSR and install your SSL certificate on Windows Server 2012
These instructions explain how to use the ÃÛÌÒTV Certificate Utility for Windows with IIS 8 and IIS 8.5 to create your CSR, to install your SSL certificate, and to configure your Windows Server 2012 to use the certificate.
ÃÛÌÒTV Certificate Utility for WindowsFor a simpler way to create your CSRs (Certificate Signing Requests) and install and manage your SSL certificates, we recommend that you use the ÃÛÌÒTV Certificate Utility. For more information about our utility, see ÃÛÌÒTV Certificate Utility.
Use the instructions on this page to create your certificate signing request (CSR) and to install and configure your SSL certificate.
-
To create your CSR, see Windows Server 2012: Creating Your CSR with the ÃÛÌÒTV Utility.
-
To install your SSL certificate, see Windows Server 2012: Using the ÃÛÌÒTV Utility & IIS 8 or IIS 8.5 to Install and Configure Your SSL Certificate.
If you prefer not to use the ÃÛÌÒTV Utility, or for some reason cannot use the utility, see IIS 8 and IIS 8.5: Create CSR and Install SSL Certificate.
Step 1: Create Your CSR on Windows Server 2012 with the ÃÛÌÒTV Utility
The ÃÛÌÒTV Certificate Utility for Windows streamlines the CSR creation process by providing easy, one-click CSR creation and certificate installation.
How to Create Your CSR with the ÃÛÌÒTV Utility
-
On your Windows Server 2012, download and save the ÃÛÌÒTV Certificate Utility executable (ÃÛÌÒTVUtil.exe).
-
Open the ÃÛÌÒTV Certificate Utility (double-click ÃÛÌÒTVUtil).
-
In the ÃÛÌÒTV Certificate Utility for Windows©, click SSL (gold lock), and then, click Create CSR.
-
On the Create CSR page, provide the following information below and then click Generate.
Certificate Type: Select SSL. Common Name: The fully-qualified domain name (FQDN) (e.g., www.example.com). Subject Alternative Names: If you are requesting a Multi-Domain (SAN) Certificate, enter any SANs that you want to include
(e.g., www.example.com, www.example2.com, and www.example3.net).Organization: Your company¡¯s legally registered name (e.g., YourCompany, Inc.). Department: The name of your department within the organization. This entry will usually be listed as "IT", "Web Security", or is simply left blank. City: The city where your company is legally located. State: Use the drop-down list to select the state where your company is legally located.
Note: If your company is located outside the US, you can type the applicable name in the box.Country: Use the drop-down list to select the country where your company is legally located. Key Size: In the drop-down list, select 2048 (unless you have a specific reason for using a larger bit length). Provider: In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider (unless you have a specific cryptographic provider). -
On ÃÛÌÒTV Certificate Utility for Windows© - Create CSR page, do one of the following:
Click Copy CSR. Copies the certificate contents to the clipboard. Use this option if you are ready to paste the CSR into the ÃÛÌÒTV order form.
Note: Because the ÃÛÌÒTV Certificate Utility does not store CSRs, we recommend you paste the CSR into a text editor (such as Notepad) when using this option. If you close the CSR page and accidentally overwrite the clipboard contents without doing this, you will need to generate a new CSR.Click Save to File. Saves the CSR as a .txt file to the Windows Server 2012. (We recommend using this option.) -
Click Close.
-
If you saved the CSR to a file, open the CSR file using a text editor (such as Notepad). Then, copy the text (including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags), and paste it into the ÃÛÌÒTV order form.
Ready to order your SSL certificate
Learn More -
After receiving your SSL certificate from ÃÛÌÒTV, you can use the ÃÛÌÒTV Certificate Utility to install it.
Step 2: Install Your SSL Certificate on Windows Server 2012 Using the ÃÛÌÒTV Utility
If you haven¡¯t created your CSR with the ÃÛÌÒTV Certificate Utility and ordered your SSL certificate, see?Windows Server 2012: Creating Your CSR with the ÃÛÌÒTV Utility.
After ÃÛÌÒTV validates your order and issues your SSL certificate, you can use the ÃÛÌÒTV Certificate Utility to install the certificate file to your Windows Server 2012. Then you can use IIS 8 or IIS 8.5 to configure the server to use it.
To install your SSL certificate on your Windows Server 2012, complete the steps below.
i. Import Your SSL Certificate Using the ÃÛÌÒTV Certificate Utility
After ÃÛÌÒTV issues your SSL certificate, you can use the ÃÛÌÒTV Certificate Utility to install the certificate file to your Windows Server 2012.
Microsoft Certificate Store Note:
When you use the ÃÛÌÒTV Certificate Utility to import/install your SSL certificates, it will place the certificates in the Personal store instead of the Web Hosting store. If you have less than 30 certificates, this will not be a problem. However, if you are managing 30 or more certificates, you will need to move your certificates to the Web Hosting store, which was designed for a greater number of certificates. See Move a Certificate from the Personal Store to the Web Hosting Certificate Store.
How to Import an SSL Certificate to Your Windows Server 2012
-
On the Windows 2012 server, where you created the CSR, extract the contents of the ZIP file you received from ÃÛÌÒTV (e.g., your_domain_com.cer) to the folder where you saved the ÃÛÌÒTV Certificate Utility executable (ÃÛÌÒTVUtil.exe).
-
Open the ÃÛÌÒTV Certificate Utility (double-click ÃÛÌÒTVUtil).
-
In the ÃÛÌÒTV Certificate Utility for Windows©, click SSL (gold lock) and then, click Import.
-
In the Certificate Import wizard, click Browse to locate the .cer certificate file you received from ÃÛÌÒTV (e.g., your_domain_com.cer), and click Open.
-
Click Next
-
In the Enter a new friendly name or you can accept the default box, type a friendly name for the certificate.
Note: The friendly name is not part of the certificate; instead, it is used to identify the certificate. We recommend that you add the issuing CA (e.g., ÃÛÌÒTV) and the expiration date to the end of your friendly name; for example, yoursite-digicert-(expiration date). Doing this helps identify the issuer and expiration date for each certificate and also helps distinguish multiple certificates with the same domain name.
-
To import the SSL certificate to your server, click Finish.
-
You should receive a message that the certificate was successfully imported, and you should now see your SSL certificate in the ÃÛÌÒTV Certificate Utility for Windows©.
-
(Optional) Repeat the process as needed for each additional SSL certificate.
-
Now that you've successfully installed your SSL certificate, you need to assign the certificate to the appropriate site.
ii. Configure the Server to Use Your SSL Certificate Using IIS 8 or IIS 8.5
After importing your SSL certificate to your Windows Server 2012, you must configure IIS to use the newly imported certificate to secure your website.
- (Single Certificate) How to configure the server to use your SSL certificate
- (Multiple Certificates) How to configure the server to use your SSL certificates using SNI
(Single Certificate) How to configure the server to use your SSL certificate
-
On the Windows Server 2012 where you imported your SSL certificate with the ÃÛÌÒTV Certificate Utility, open Internet Information Services (IIS) Manager.
From the Start screen, find Internet Information Services (IIS) Manager and open it.
-
In Internet Information Services (IIS) Manager, in the Connections pane, expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to secure using the SSL certificate.
-
On the website Home page, in the Actions menu (right pane), click Bindings.
-
In the Site Bindings window, click Add.
-
In the Add Site Binding window, do the following and then click OK.
Type: In the drop-down list, select https. IP address: In the drop-down list, select the IP address of the site or select All Unassigned. Port: Type 443. (SSL uses port 443 to secure traffic.) SSL certificate: In the drop-down list, select your new SSL certificate (e.g., yourdomain.com). -
Your SSL certificate is now installed, and the website is configured to accept secure connections.
(Multiple Certificates) How to install your SSL certificates and configure the server to use them using SNI
If you have not imported all your SSL certificates, see Import Your SSL Certificate Using the ÃÛÌÒTV Certificate Utility.
These instructions explain how to install multiple SSL certificates and assign them using SNI. The process is split into two parts as follows:
Assign the First SSL Certificate
Do this first set of instructions only once (for the first SSL certificate).
-
On the Windows Server 2012 where you imported your SSL certificate with the ÃÛÌÒTV Certificate Utility, open Internet Information Services (IIS) Manager.
From the Start screen, find Internet Information Services (IIS) Manager and open it.
-
In Internet Information Services (IIS) Manager, in the Connections pane, expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to secure using the SSL certificate.
-
On the website Home page, in the Actions menu (right pane), click Bindings.
-
In the Site Bindings window, click Add.
-
In the Add Site Binding window, do the following and then click OK.
Type: In the drop-down list, select https. IP address: In the drop-down list, select the IP address of the site or select All Unassigned. Port: Type 443. (SSL uses port 443 to secure traffic.) SSL certificate: In the drop-down list, select the SSL certificate you installed in Step 7 (e.g., yourdomain.com). -
Your first SSL certificate is now installed, and the website is configured to accept secure connections.
Assign All Additional SSL Certificates
To assign each additional SSL certificate, repeat the steps below (as needed).
-
In Internet Information Services (IIS) Manager, in the Connections pane, expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to secure using the SSL certificate.
-
On the website Home page, in the Actions menu (right pane), click Bindings.
-
In the Site Bindings window, click Add.
-
In the Add Site Binding window, do the following and then click OK.
Type: In the drop-down list, select https. IP address: In the drop-down list, select the IP address of the site or select All Unassigned. Port: Type 443. (SSL uses port 443 to secure traffic.) Host name: Type the host name that you want to secure. Require server name indication: Select this checkbox after you enter the host name.
Note: This option is required for any additional certificates/sites after installing the first certificate on the primary site.SSL certificate: In the drop-down list, select the SSL certificate you installed (e.g., yourdomain.com). -
You have successfully installed another SSL certificate and configured the website to accept secure connections.
Test Installation
If your website is publicly accessible, our ÃÛÌÒTV® SSL Installation Diagnostic Tool can help you diagnose common problems.
Additional Information
-
To enable your SSL certificate for use on other Windows servers, see PFX export instructions.
-
For instructions on disabling the SSLv3 protocol, see Microsoft IIS: Disabling the SSL v3 Protocol.