In a previous post I discussed Installing a Certificate in IIS 7.5 From a Public Certificate Authority. In my example I used a certificate issued by StartCom’s Free SSL Certificate Authority. As an addon I will cover exporting this certificate to another IIS 7.5 server. Like many public CA’s StartCom makes use of a certificate chain with an intermediate certificate CA certificate as shown below.
StartCom Certification Authority
…….StartCom Class 1 Primary Intermediate Server CA
…………..Your StartCom Issued Certificate
When you create a Certificate Request on an IIS server to the CA and later complete that request, the intermediate cert is automatically added to the IIS server’s certificate store. However, if you export your certificate to a new IIS server you must also import the intermediate cert on the new IIS server for the chain of trust to be maintained. This is best practice from a security perspective.
Some browsers such as Internet Explorer will go out to the internet and attempt to import the intermediate cert to your client if it is not available on the web server. Other browsers such as Firefox will not do this and the intermediate cert needs to be available on your web server for the browser to be able to import it. If the intermediate is not available on the IIS server, Firefox will not see your certificate as being validly trusted.
Export and Import Web Site Certificate Through IIS
First let’s export our public CA issued certificate. IIS makes this very easy. Go to Start > Admin Tools > IIS Manager.
Click your server name in the left pane tree, then in the center scroll down and double click Server Certificates.
Highlight the certificate from the public CA (in my case StartCom). Note how it is issued by the StartCom Class 1 Primary Intermediate Server CA. In the right Actions pane click Export.
In this installment I will run through the procedure for installing a certificate for Windows 2008 R2 IIS 7.5 from a third party public certificate authority. I will use a third party certificate signed by StartCom. StartCom offers free class 1 SSL/TLS certificates. They also offer class 2 certificates for businesses at very reasonable prices. While you can use a class 1 certificate for a business web site, they are attached to an individual person’s identity which means they are ultimately the responsible party. Earlier versions of Windows and Internet Explorer may not contain StartCom as a trusted certificate authority. However, Firefox and newer versions of Internet Explorer will trust certificates issued by StartCom by default.
Prepare Certificate Request from IIS
First go to Start > Admin Tools > IIS Manager.
Click your server in the left pane under Connections, then in the middle pane scroll down and double click the Server Certificates icon.
On the right under Actions click “Create Certificate Request”.
Enter the information for your certificate. You should specify the URL you will use to access the web site for the Common Name (ex. http://www.mysite.com). Click Next.
I will choose 2048 bits for the encryption key length. This is the minimum required for High Grade cert which I will request on StartCom’s web site later. Click Next.
Save the certificate request to a file, then click Finish.
In this post I will discuss how Windows IIS servers that are not part of a domain can make use of certificates issued by a certificate authority (CA). In my example the certificates will be signed and issued by an enterprise CA that is a member of my Active Directory domain. All of the servers run Windows Server 2008 R2.
Exporting the Certificate Authority Root Certificate
Since we want to trust this CA from a non-domain member server we’ll need to manually export the root certificate for this CA to a file. On the CA server click Start and type CMD in the search and press Enter. Now at the command prompt type:
C:\> certutil -ca.cert ca_name.cer
The root CA certificate is now exported to the file “ca_name.cer”.
In this entry I will discuss setting up a certificate to encrypt traffic via HTTPS for an IIS 7.5 web site. This example assumes that that IIS web server is a member of an Active Directory domain and that an enterprise certificate authority (CA) is configured on a server in this domain. You can find details on how to set up an enterprise CA for you domain here. Time to get started.
Go to Start > Administrative Tools > Internet Information Services (IIS) Manager.