Home > IIS, SSL, Windows > Installing a Certificate in IIS 7.5 From a Public Certificate Authority

Installing a Certificate in IIS 7.5 From a Public Certificate Authority

In this installment I will run through the procedure for installing a certificate for Windows 2008 R2 IIS 7.5 from a third party public certificate authority.  I will use a third party certificate signed by StartCom.  StartCom offers free class 1 SSL/TLS certificates.  They also offer class 2 certificates for businesses at very reasonable prices.  While you can use a class 1 certificate for a business web site, they are attached to an individual person’s identity which means they are ultimately the responsible party.  Earlier versions of Windows and Internet Explorer may not contain StartCom as a trusted certificate authority.  However, Firefox and newer versions of Internet Explorer will trust certificates issued by StartCom by default.

Prepare Certificate Request from IIS

First go to Start > Admin Tools > IIS Manager.

Click your server in the left pane under Connections, then in the middle pane scroll down and double click the Server Certificates icon.

On the right under Actions click “Create Certificate Request”.

Enter the information for your certificate.  You should specify the URL you will use to access the web site for the Common Name (ex. http://www.mysite.com).  Click Next.

I will choose 2048 bits for the encryption key length.  This is the minimum required for High Grade cert which I will request on StartCom’s web site later.  Click Next.

Save the certificate request to a file, then click Finish.

Request Certificate from StartCom

Now go out to the StartCom free SSL web site:  http://cert.startcom.org.

Scroll down and click the link “Create your account at StartSSL”.

Choose Express Lane.  This option will run through a wizard to guide you through the initial set up of your account and get started creating your certificate.

When you get to the Generate Private Key screen click Skip.

Now at the Submit Certificate Request screen paste the text from your certificate request that you generated earlier in IIS.  Be sure and include the Begin and End Request lines.  Don’t worry that the lines wrap and the text box is a little too small, it should still work.  Click Continue.

At the second Add Domains page it will ask that you specify one subdomain.  Enter the name you will use to connect to your web server, then click Continue.

The wizard may now tell you that an additional check will need to be performed and that you’ll be notified via email.  I ended up logging out StartCom web site even though the certificate check only required a few minutes.  As a consequence I encountered difficulties authenticating back into the StartCom web site.  The site uses a client certificate installed in the browser to authenticate your identity and it is possible the browser may not prompt you to use it.  Also you will want to make sure to backup this client certificate because if it is lost you will be unable to authenticate back to your StartCom account.  Here is how to make sure the sites finds the certificate if you are using Firefox:

Go to Tools > Options.

In the Options windows click Advanced, then click the Encryption tab.  Under Certificates choose “Select one automatically”, then click OK.  For some reason the browser wouldn’t prompt me to use the client certificate even though it was present  and I was unable to access my StartCom account.  But with this options selected everything works fine!  I’m not sure how negative the security compromise is leaving this configured, so you may want to change the setting back when you are finished.

Advertisements

Pages: 1 2

Categories: IIS, SSL, Windows Tags: , ,
  1. Winston
    August 10, 2011 at 10:54 pm

    Thanks for the great post. Really helped me thru a couple of areas in which I had questions about while trying to know this out quickly.

  2. October 30, 2011 at 5:35 pm

    This is good but I am trying to get over the hurdle of having IIS 7 correctly serve up the intermediate certificate at the same time as the machine’s certificate (so the browser sees this as chained up properly). I am wondering if you had to import the intermediate cert’ & if you have any more details on that.

    I’ve been working on this for a few hours now (and have completed this process dozens of times before on dozens of servers before) but this time it is just not chaining-up properly no matter what.

    Any and all advice is appreciated.

    Thanks.

    Jason

  3. Jeff
    February 6, 2012 at 10:16 pm

    Jason – if you haven’t figured it out yet it looks like you need to install the component to do this. Here is the site:
    http://www.iis.net/ConfigReference/system.webServer/security/authentication/iisClientCertificateMappingAuthentication

  4. April 15, 2013 at 11:18 am

    Thanks for that comprehensive post!
    Hopefully, the certicifacting issues for multi/wildcard subdomain are working that simple, too?

  1. September 1, 2010 at 8:24 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: