Several months ago I documented Installing an SSL Certificate in IIS 7.5 from a Public Certificate Authority signed by the third party CA StartCom. For those unfamiliar with StartCom they have the added benefit of offering free personal class 1 SSL certificates. Recently I was tasked with migrating this certificate from my Windows 2008 R2 IIS 7.5 server to an Apache 2.2/CentOS Linux 5.5 box. This process assumes that you have performed the procedure above I’ve linked to and installed the public CA signed certificate on an IIS 7.5 server. scfb.info
Now go back out to the StartCom login page: https://www.startssl.com/?app=12. If you are still logged on to the StartCom website and in the ToolBox section from the previous Windows 2008 R2 IIS 7.5 certificate install documentation skip down to the 4th screenshot.
Click the green button on the upper right side of the screen labeled “Control Panel”.
In a previous post I discussed Installing a Certificate in IIS 7.5 From a Public Certificate Authority. In my example I used a certificate issued by StartCom’s Free SSL Certificate Authority. As an addon I will cover exporting this certificate to another IIS 7.5 server. Like many public CA’s StartCom makes use of a certificate chain with an intermediate certificate CA certificate as shown below.
StartCom Certification Authority
…….StartCom Class 1 Primary Intermediate Server CA
…………..Your StartCom Issued Certificate
When you create a Certificate Request on an IIS server to the CA and later complete that request, the intermediate cert is automatically added to the IIS server’s certificate store. However, if you export your certificate to a new IIS server you must also import the intermediate cert on the new IIS server for the chain of trust to be maintained. This is best practice from a security perspective.
Some browsers such as Internet Explorer will go out to the internet and attempt to import the intermediate cert to your client if it is not available on the web server. Other browsers such as Firefox will not do this and the intermediate cert needs to be available on your web server for the browser to be able to import it. If the intermediate is not available on the IIS server, Firefox will not see your certificate as being validly trusted.
Export and Import Web Site Certificate Through IIS
First let’s export our public CA issued certificate. IIS makes this very easy. Go to Start > Admin Tools > IIS Manager.
Click your server name in the left pane tree, then in the center scroll down and double click Server Certificates.
Highlight the certificate from the public CA (in my case StartCom). Note how it is issued by the StartCom Class 1 Primary Intermediate Server CA. In the right Actions pane click Export.
In this installment I will run through the procedure for installing a certificate for Windows 2008 R2 IIS 7.5 from a third party public certificate authority. I will use a third party certificate signed by StartCom. StartCom offers free class 1 SSL/TLS certificates. They also offer class 2 certificates for businesses at very reasonable prices. While you can use a class 1 certificate for a business web site, they are attached to an individual person’s identity which means they are ultimately the responsible party. Earlier versions of Windows and Internet Explorer may not contain StartCom as a trusted certificate authority. However, Firefox and newer versions of Internet Explorer will trust certificates issued by StartCom by default.
Prepare Certificate Request from IIS
First go to Start > Admin Tools > IIS Manager.
Click your server in the left pane under Connections, then in the middle pane scroll down and double click the Server Certificates icon.
On the right under Actions click “Create Certificate Request”.
Enter the information for your certificate. You should specify the URL you will use to access the web site for the Common Name (ex. http://www.mysite.com). Click Next.
I will choose 2048 bits for the encryption key length. This is the minimum required for High Grade cert which I will request on StartCom’s web site later. Click Next.
Save the certificate request to a file, then click Finish.