How do I install a SSL/TLS certificate on Microsoft IIS 7?
Before you begin
- Never share private key files.
- If you plan on using the same certificate on multiple servers always transfer the private key using a secure method (e-mail is not considered a secure method of transfer).
- Make sure you run the SSL Server Test at the end of the installation process to check your certificate configuration against SSL/TLS Best Practices.
Installing your SSL/TLS Certificate on Microsoft IIS 7
1. Click the Download button in the pickup wizard to download your certificate files. Clicking the download button will produce a zip file that includes your Server Certificate, the chain/intermediate certificates(s) and the Root certificate. Extract the files from the zip file.
2. On the server, go to Start > Run > type MMC and hit enter.
3. Click File > Add Remove Snap-in.
4. Select Certificates and click Add.
5. Select Computer Account, click Next,and click Finish.
6. Click OK to close the window.
7. Expand Certificates on the left hand side of the console window.
8. Expand the Trusted Root Certification Authorities folder and click on the Certificates sub-folder.
9. Important: Check the list of Trusted Root Certificates to see if there is a root labeled Root Certification Authority - G2. If this root is present, delete the root from the list. You will install another root certificate and chain your certificate to that root to provide backwards compatibility with older devices that do not include the newer Entrust SHA-2 root certificate.
10. Right click on the Certificates sub-folder under Trusted Root Certification Authorities and select All Tasks > Import.
11. In the import wizard, browse to the Root.crt file downloaded in step 1 and complete the wizard.
12. In the MMC console, expand the Intermediate Certification Authorities folder. Right click on the Certificates sub-folder and select All Tasks > Import.
13. In the import wizard, browse to the Intermediate1.crt file downloaded in step 1 and complete the wizard.
14. Right click on the Certificates sub-folder under Intermediate Certification Authorities and select All Tasks > Import.
15. In the import wizard, browse to the Intermediate2.crt file downloaded in step 1 and complete the wizard to complete the certificate chain setup process. You should see your Entrust Intermediate certificates listed in the Intermediate Certification Authorities folder. You are now ready to install your signed server certificate.
16. Launch the Internet Information Services Manager (IIS) by going to Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager.
17. Select the server name in question on the left hand connections menu.
18. In the middle section of the IIS Manager, double click on the Server Certificate icon.
19. Click on the Complete Certificate Request action link.
20. Browse to the ServerCertificate.crt file that was downloaded in step 1. Provide a friendly name for the certificate. The friendly name can be anything - it is just a label for your certificate. A good friendly name would be domain_name_current_year (example: example.com2016).
21. Click OK to complete the import process. Your certificate should now be displayed in the Server Certificate list.
22. Now that the certificate is imported, you must bind your certificate to the website. In IIS, select your website (in most cases, Default Web Site) under the connections menu and click on Bindings under the Action menu.
23. Select Add from the Site Binding window. If you are renewing or replacing a certificate, you should already see https listed under type. In this case, select edit to update the certificate for that binding.
24. In the Add Site Binding window, set the Type to https, IP address to All Unassigned, and Port to 443. Select the Server Certificate that you imported previous in the SSL Certificate dropdown. Click OK to complete the bindings setup.
25. You should see an https binding in the Site Bindings window.
Important Note: If you have installed the intermediate certificates after binding the certificate, you may have to remove the binding and then rebind your certificate. This is required as IIS 7 builds the certificate’s trust path as delivered to users at binding time.