Parent | Child | Previous | Next
 

How to configure a site to use HTTPS under IIS

Description

Installing an SSL/HTTPS certificate for a site running under IIS is straight forward. The IIS server maintains a list of available certificates that have been added to it and each site has an HTTPS binding that uses one of those certificates.

A certificate authority typically has it's own form for making a certificate request, but you may also create a standard certificate request file that is a plain text file and can be used by a certificate authority instead. This may be needed if the certificate authority's certificate request form does not have all the settings that you need for specifying certificate properites.

The instructions below show how a certificate request file can be created, how the returned .pfx or .cer certificate from the certificate authority can be added to an IIS server, and how to set which certificate is used by a site in IIS.

Request and Install a Certificate from a Certificate Authority

IIS Manager can be used to create a certificate request with "Create Certificate Request..." and then install the certificate with "Complete Certificate Request...". These options are located under the "Server Certificates" feature in IIS Manager.

  1. Select the server node in the "Connections" pane

  2. Double click on the "Server Certificates" feature in the center pane in the "IIS" section.

    images/iisManagerServerNode.png

  3. The "Server Certificates" feature will show the available certificates as well as the operations that can be done in the "Actions" pane on the right hand side.

    images/iisManagerServerCertificates.png

  4. The certificate authority that you use may have its own way to create a certificate request. If it does, make sure that a "Subject Alternative Name (SAN)" is included in the request. A certificate is required to have the host name in it to define what site the certificate is for. For example "www.alphasoftware.com". This host name also needs to be included as a Subject Alternative Name in the certificate otherwise browsers may not validate the certificate. The "Create certificate request..." action in IIS Manager does not create a certificate request that includes a Subject Alternative Name. Use the following steps to create a certificate request with a Subject Alternative Name.

    1. Open the machine management console (run MMC.exe).

    2. Choose "Add/Remove snap-in..." from the File menu.

      images/createCertRequestAddSnapin.png

    3. Select the "Certificates" snap-in from the left list, click the "Add" button in the middle of the dialog and then choose the "Computer account". Click through the rest of th wizard to finish.

      images/createCertRequestCertificatesSnapin.png

    4. Open the "Certificates (Local Computer)" node and right click on the "Personal" node, choose "All Tasks", "Advanced Operations", "Create Custom Request...".

      images/createCertRequestCustomRequest.png

    5. Click "Next" then select "Proceed without enrollment policy". Click "Next".

      images/createCertRequestNoEnrollmentPolicy.png

    6. Click "Next" with the default on this page.

      images/createCertRequestCNGkey.png

    7. Click the little down arrow next to the word "Details". Click on the "Properties" button.

      images/createCertRequestDetailsChevron.png
      images/createCertRequestProperties.png

    8. Set the certificate request's name and description on the "General" tab.

      images/createCertRequestName.png

    9. Set the certificate subject name type to "Common name", set the value to the site's host name, and click the "Add" button on the "Subject" tab.

      images/createCertRequestSubject.png
      images/createCertRequestSubjectAdded.png

    10. Set the certificate alternative name type to "DNS", set the value to the site's host name, and click the "Add" button on the "Subject" tab.

      images/createCertRequestAlternative.png
      images/createCertRequestAlternativeAdded.png

    11. Set the key size to 2048 and enable the private key to be exportable on the "Private Key" tab.

      images/createCertRequestKeyOptions.png

    12. Click the "OK" button at the bottom of the "Properties" dialog and then the "Next" button on the certificate enrollment wizard.

    13. Give a name for the file for the certificate request to be saved in. This file will be text file and a .txt extension is used in the image example below.

      images/createCertRequestSave.png

    14. Give a name for the file for the certificate request to be saved in.

    15. This file can now be used to request a certificate from a certificate authority.

  5. Once you have a certificate, the certificate can be added to IIS by choosing "Complete Certificate Request..." from the "Actions" pane. Once added, the new certificate will be listed in the center pane as an available certificate.

    IIS can use certificates with a .pfx extension or a .cer extension. Use the "Import..." option to install a .pfx certificate. Use the "Complete Certificate Request..." option to install a .cer certificate. You may be able to request the specific file type that the certificate authority returns as part of the certificate request. For instance, a certificate authority's web page would have prompts for email address, type of certificate to return, and a certificate request file to be uploaded.

    images/iisManagerServerCertificates.png

Configure Certificate Used by a Site

  1. Select the site in IIS Manager.

    images/setCertSite.png

  2. Click the "Bindings..." link in the "Actions" pane on the right hand side.

    images/setCertBindingLink.png

  3. Click the "Edit..." button to edit an existing https binding or the "Add..." button to add an https binding.

    images/setCertSiteBindings.png

  4. Make sure the host name matches what was requested in the certificate request then choose the certificate from the "SSL certificate" drop down list. Click "OK" and you're done.

    images/setCertSiteBindingsDialog.png