Installing an SSL Certificate on an IIS Server

Prerequisites

• The certificate is in the Issued status.

• You have downloaded the SSL certificate. For details, see Downloading a Certificate.

Constraints

• Before installing the certificate, enable port 443 on the server where the SSL certificate is installed and add port 443 to the security group. Otherwise, HTTPS cannot be enabled after the installation.
• If a domain name maps to multiple servers, deploy the certificate on each server.
• The domain name to be run on the target server must be the same as the one associated with the certificate. Otherwise, the web browser will display a message indicating that the domain name is insecure.

Procedure

To install an SSL certificate on an IIS server, perform the following steps:

Step 1: Obtaining Files → Step 2: Configuring IIS → Step 3: Verifying the Effect

Step 1: Obtaining Files

Before installing a certificate, obtain the certificate file and password file. Perform the following operations based on the value selected for CSR when applying for a certificate:

• If you select System generated CSR for CSR when applying for a certificate, perform the operations according to the instructions in System generated CSR.
• If you select Upload a CSR for CSR when applying for a certificate, perform the operations according to the instructions in Upload a CSR.

Detailed operations are as follows:

• System generated CSR
  1. Decompress the downloaded certificate file on your local PC.
     The downloaded file contains the Apache, IIS, Nginx, and Tomcat folders as well as the domain.csr file. Figure 1 shows an example.

     Figure 1 Decompressing an SSL certificate package on a local computer
     
  2. Obtain the SSL certificate file Certificate ID_Domain name bound to the certificate_server.pfx and password file Certificate ID_Domain name bound to the certificate_keystorePass.txt from Certificate ID_Domain name bound to the certificate_IIS.
• Upload a CSR
  1. Decompress the downloaded certificate package to obtain the Certificate ID_Domain name bound to the certificate_server.pem file.

     The Certificate ID_Domain name bound to the certificate_server.pem file contains two segments of certificate codes -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, which are the server certificate and intermediate CA certificate respectively.

  2. Use OpenSSL to convert the PEM certificate into a PFX certificate and obtain the server.pfx file.
     1. Save the PEM certificate and the private key server.key generated during CSR generation to the bin directory in the OpenSSL installation directory.
     2. In the bin directory of the OpenSSL installation directory, run the following command to convert the PEM certificate into a PFX certificate and press Enter:

        openssl pkcs12 -export -out server.pfx -inkey server.key -in Certificate ID_Domain name bound to the certificate_server.pem

        Information similar to the following is displayed.

        Enter Export Password:
     3. Enter the password of the PFX certificate and press Enter.

        The password is user-defined. Set it as required.

        Information similar to the following is displayed.

        Verifying - Enter Export Password:
        NOTE:

        Record the password of the PFX certificate. The password of the JKS certificate must be the same as that of the PFX certificate. Otherwise, the IIS service may fail to start.

        To improve password security, a password must:

        • Consist of 8 to 32 characters.
        • Contain at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters ~`!@#$%^&*()_+|{}:"<>?-=\[];',./
     4. Re-enter the password of the PFX certificate and press Enter.

        If no error information is displayed, the server.pfx file has been generated in the OpenSSL installation directory.

     5. Create a keystorePass.txt file in the OpenSSL installation directory and save the password of the PFX certificate in the file.

Step 2: Configuring IIS

1. Install IIS as instructed by IIS guides.
2. Open the IIS management console, double-click Server Certificates.
   Figure 2 Double-clicking Server Certificates
   
3. In the displayed dialog box, click Import.
   Figure 3 Import
   
4. Import the server.pfx certificate file. Then click OK.
   NOTE:

   In the Password box, enter the password provided in the keystorePass.txt file.

   Figure 4 Importing a PFX certificate file
   
5. Right-click the target site (the default site is used as an example). Choose Edit Bindings from the shortcut menu.
   Figure 5 Choosing Edit Bindings
   
6. In the dialog box that is displayed, click Add. Then enter the following information.
   Figure 6 Binding a website
   
   • Type: Select https.
   • Port: Retain the default port 443.
   • SSL certificate: Select the certificate imported in 4.
7. Click OK.

Step 3: Verifying the Effect

After the deployment succeeds, in the address bar of the browser, enter https://Domain name and press Enter.

If a security padlock is displayed in the address bar of the browser, the certificate has been installed successfully.

• If the browser still displays a message indicating that the website is insecure, fix the issue by referring to Why Does the Website Still Display a Message Indicating that the Website Is Insecure After an SSL Certificate Is Deployed?
• If the website cannot be accessed using a domain name, fix the issue by referring to Why Is My Website Inaccessible by Domain Name After an SSL Certificate Is Installed?