Installing a Certificate in IIS 7.5 From a Public Certificate Authority
In this installment I will run through the procedure for installing a certificate for Windows 2008 R2 IIS 7.5 from a third party public certificate authority. I will use a third party certificate signed by StartCom. StartCom offers free class 1 SSL/TLS certificates. They also offer class 2 certificates for businesses at very reasonable prices. While you can use a class 1 certificate for a business web site, they are attached to an individual person’s identity which means they are ultimately the responsible party. Earlier versions of Windows and Internet Explorer may not contain StartCom as a trusted certificate authority. However, Firefox and newer versions of Internet Explorer will trust certificates issued by StartCom by default.
Prepare Certificate Request from IIS
First go to Start > Admin Tools > IIS Manager.
Click your server in the left pane under Connections, then in the middle pane scroll down and double click the Server Certificates icon.
On the right under Actions click “Create Certificate Request”.
Enter the information for your certificate. You should specify the URL you will use to access the web site for the Common Name (ex. http://www.mysite.com). Click Next.
I will choose 2048 bits for the encryption key length. This is the minimum required for High Grade cert which I will request on StartCom’s web site later. Click Next.
Save the certificate request to a file, then click Finish.
Request Certificate from StartCom
Now go out to the StartCom free SSL web site: http://cert.startcom.org.
Scroll down and click the link “Create your account at StartSSL”.
Choose Express Lane. This option will run through a wizard to guide you through the initial set up of your account and get started creating your certificate.
When you get to the Generate Private Key screen click Skip.
Now at the Submit Certificate Request screen paste the text from your certificate request that you generated earlier in IIS. Be sure and include the Begin and End Request lines. Don’t worry that the lines wrap and the text box is a little too small, it should still work. Click Continue.
At the second Add Domains page it will ask that you specify one subdomain. Enter the name you will use to connect to your web server, then click Continue.
The wizard may now tell you that an additional check will need to be performed and that you’ll be notified via email. I ended up logging out StartCom web site even though the certificate check only required a few minutes. As a consequence I encountered difficulties authenticating back into the StartCom web site. The site uses a client certificate installed in the browser to authenticate your identity and it is possible the browser may not prompt you to use it. Also you will want to make sure to backup this client certificate because if it is lost you will be unable to authenticate back to your StartCom account. Here is how to make sure the sites finds the certificate if you are using Firefox:
Go to Tools > Options.
In the Options windows click Advanced, then click the Encryption tab. Under Certificates choose “Select one automatically”, then click OK. For some reason the browser wouldn’t prompt me to use the client certificate even though it was present and I was unable to access my StartCom account. But with this options selected everything works fine! I’m not sure how negative the security compromise is leaving this configured, so you may want to change the setting back when you are finished.
Pages: 1 2