You must be logged on as a member of the Administrators group on the local computer to perform the following procedures:
· Create Certificate Signing Request (CSR)
· Bind the certificate to a specific port and protocol
· Install a shared SSL certificate in a uStore cluster
Note: On Windows Server 2008, if User Account Control (UAC) is enabled, it might display a message when you try to access IIS Manager. If so, click Continue.
A Certificate Signing Request file is required in the process of purchasing an SSL certificate. Request an Internet server certificate when you must prove the identity of your web server to clients who request content that resides on the server. Internet server certificates are issued by public certification authorities (CA).
To request an Internet server certificate:
1. On the Start menu, click All Programs > Accessories > Run.
2. In the Open box, type inetmgr and then click OK.
3. On the left pane, navigate to the <Server Name>.
4. In Features view, double-click Server Certificates.
5. In the Actions pane, click Create Certificate Request.
6. On the Distinguished Name Properties page of the Request Certificate Wizard, type the following information, and then click Next.
– In the Common name text box, type a name for the certificate.
– In the Organization text box, type the name of the organization in which the certificate will be used.
– In the Organizational unit text box, type the name of the organizational unit in the organization in which the certificate will be used.
– In the City/locality text box, type the unabbreviated name of the city or locality where your organization or organizational unit is located.
– In the State/province text box, type the unabbreviated name of the state or province where your organization or organizational unit is located.
– In the Country/region text box, type the name of the country or region where your organization or organizational unit is located.
7. On the Cryptographic Service Provider Properties page, select either Microsoft RSA SChannel Cryptographic Provider or Microsoft DH SChannel Cryptographic Provider from the Cryptographic service provider drop-down list. By default, IIS 7 uses the Microsoft RSA SChannel Cryptographic Provider.
8. In the Bit length drop-down list, select a bit length that can be used by the provider. By default, the RSA SChannel provider uses a bit length of 2048. The DH SChannel provider uses a bit length of 512. A longer bit length is more secure, but it can affect performance.
9. Click Next.
10. On the File Name page, type a file name in the Specify a file name for the certificate request text box, or click the browse button to locate a file, and then click Finish.
11. Send the certificate request to a public CA.
When you receive a response from a public certification authority (CA) to whom you sent a certificate request, you must complete the process by installing the server certificate on your web server.
Note: You can install the server certificate only on the computer from which you sent the certificate request.
To install an Internet certificate:
1. On the Start menu, click All Programs > Accessories > Run.
2. In the Open box, type inetmgr and then click OK.
3. On the left pane, navigate to the <Server Name>.
4. In Features view, double-click Server Certificates.
5. In the Actions pane, click Complete Certificate Request.
6. On the Complete Certificate Request page, in the File name that contains the certification authority's response text box, type the path of the file that contains the response from the CA, or click the Browse button to search for the file.
7. Type a friendly name for the certificate in the Friendly name text box, and then click OK.
After the completion of the certificate request, you need to bind the certificate to the default website.
1. On the Start menu, click All Programs > Accessories > Run.
2. In the Open box, type inetmgr and then click OK.
3. On the left pane, navigate to <Server Name> Sites and select the Default Web Site.
4. In the Actions pane, click Bindings. This provides a dialog box listing the protocols for the selected website.
5. In the Site Bindings dialog box, click Add.
6. In the Add Site Bindings dialog box, in the Type drop-down list, select https.
7. In the SSL certificate drop-down list, select the certificate that you want to bind.
8. Click OK to add the site binding and return to the Site Bindings dialog box.
9. In the Site Bindings dialog box, click Close.
This section describes how to set up a uStore cluster that contains multiple web servers with the same SSL certificate. These settings ensure secure and encrypted communication between all the web servers in the uStore cluster.
To install a shared SSL certificate in a uStore cluster, you must:
· Request an SSL certificate from the primary web server
· Install the SSL certificate on the primary web server
· Bind the SSL certificate on the primary web server
· Export the SSL certificate with the private key from the primary web server
· Import the SSL certificate with the private key to all the other web servers in the uStore cluster
· Bind the imported SSL certificate to a web server
To export the key that you installed on the first web server, follow these steps. This key is imported to other web servers in the uStore cluster.
To export a certificate with the private key:
1. Open the Certificates snap-in for a user, computer, or service by doing the following:
– On the Start menu, click All Programs, click Accessories, and then click Run.
– Type mmc, and then click OK.
– On the File menu click Add/Remove snap-in.
– Choose Certificates, and then click Add.
– Choose Computer account, and then click Next.
– Choose Local computer (the computer this console is running on), and then click Finish.
– Click OK.
2. In the Console tree expand Certificates > Personal and then expand Certificates.
3. In the Details pane, right click the certificate that you want to export.
4. Point to All Tasks, and then click Export.
5. In the Certificate Export Wizard, click Next and choose Yes to export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)
6. Under Export File Format, check the Include all certificates in the certification path if possible checkbox and click Next.
7. In the Password field, type a password to encrypt the private key you are exporting.
8. In the Confirm password field, type the same password again, and then click Next.
9. In the File name field, type a file name and path for the PKCS#12 file that will store the exported certificate and private key.
10. Click Next, and then click Finish.
11. A pop-up message appears confirming that the Certificate export process was successful.
12. Click OK.
After the certificate has been exported, copy the certificate to a location on another web server in the uStore cluster. You must import the certificate to the computer’s Personal certificate store.
To import the certificate to the computer’s Personal certificate store:
8. Open the Certificates snap-in for a user, computer, or service by doing the following:
– On the Start menu, click All Programs, click Accessories, and then click Run.
– Type mmc, and then click OK.
– On the File menu click Add/Remove snap-in.
– Choose Certificates, and then click Add.
– Choose Computer account, and then click Next.
– Choose Local computer (the computer this console is running on), and then click Finish.
– Click OK.
9. In the Console tree expand Certificates > Personal and then expand Certificates.
10. On the Actions menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.
11. Type the file name containing the certificate to be imported (You can also click Browse and navigate to the file).
12. If it is a PKCS #12 file, type the password used to encrypt the private key and click Next.
13. Select Place all certificates in the following store, click Browse and choose the Personal certificate store to use.
14. A pop-up message appears confirming that the Certificate Import process was successful. Click OK.
10. On the Start menu, click All Programs, click Accessories, and then click Run.
11. In the Open box, type inetmgr and then click OK.
12. On the left pane, navigate to <Server Name> > Sites and select the Default Web Site.
13. In the Actions pane, click Bindings. This provides a dialog box listing the protocols for the selected website.
14. In the Site Bindings dialog box, click Add.
15. In the Add Site Bindings dialog box, in the Type drop-down list, select https.
16. In the SSL certificate drop-down list, select the certificate that you want to bind.
17. Click OK to add the site binding and return to the Site Bindings dialog box.
18. In the Site Bindings dialog box, click Close.
Repeat the Import and the binding procedures on any other server in the uStore cluster.