Windows Server Certificate Maintenance

Contents
Step 1 - Generate a Certificate Request ...................................................................................................... 3 Step 2 Request the Certificate .................................................................................................................. 4 Step 3 The Certificate is submitted ........................................................................................................... 4 Step 4 Receive Certificate ......................................................................................................................... 4 Step 5 Download Certificate ..................................................................................................................... 4 Step 6 Add private key .............................................................................................................................. 4 Step 7 - Export Certificate with Private Key ................................................................................................. 5 Step 8 - Copy the certificate to server ......................................................................................................... 8 Step 9 Update the Certificate ................................................................................................................... 9 Step 10 Test and Verify ........................................................................................................................... 10 Appendix A - Certificates on IIS 5/6 ........................................................................................................... 12 Exporting/Backing Up to a .pfx File .................................................................................................... 12 Importing from a .pfx File .................................................................................................................. 13 Enabling a New Certificate on a Server ............................................................................................. 14 Revision History ......................................................................................................................................... 15

Step 1 - Generate a Certificate Request

Log into a Server with IIS 7 (Windows 2008 R2) installed. For IIS 5/6 see Appendix A These instructions are for IIS on Windows 2008 R2. It is less complicated if you generate the certificate request on the server it will end up being used on but sometimes the server does not run IIS and it is not required. In the Start Menu Click Administrative Tools and then Internet Information Services Manager. Click on the server name in the left panel and then double click Server Certificates Then click the Create Certificate Request link on the right as shown below. Enter the information exactly as below but replace www.enterprise .com with the URL the certificate is for then click next. Change the bit length to 2048 and click next.

Choose a location to write your request file to and a filename and click Finish to create the file.

Step 2 Request the Certificate

Contact Name/Email (Process Owner) Primary Technical Contact Name/Email/Company Domain name for Certificate Note that you will in most cases want to request www.domain.com and not simply domain.com for the certificate. Type of web server software (IIS, Apache, etc.) 1,2, or 3 year cert duration (get 3 years if its a production certificate) Purpose (short description) Number of servers the cert will be used on this is important for proper licensing

Step 3 The Certificate is submitted

Certificate Admin team will submit the certificate request.

Step 4 Receive Certificate

Once a certificate is generated, instructions will be emailed to you by the Certificate Admin team with instructions and a link to download it.

Step 5 Download Certificate

Download the PKCS #7 certificate(ends in p7B) and copy to the original web server you generated it on.

Step 6 Complete Certificate Request

Start Internet Services Manager. Click on the server name on the left and then double click the Server Certificates icon.

 Select Complete Certificate Request on the right.

Click to bring up the Open windows and browse to the directory you stored the certificate and select it, then enter its URL in the friendly name field. (note you may need to change the *.cer in the box on the bottom right of the Open windows to *.* to see the certififcate if its extension is not .cer. Click OK If you generated the certificate request from the same server you will be installing it on, you can skip to step 8.

Step 7 - Export Certificate with Private Key

Exporting/Backing Up to a .pfx File 1. On the Start menu click Run and then type mmc. 2. Click File > Add/Remove Snap-in. 3. Click Certificates > Add. 4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window. 5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder. 6. Right-click on the certificate you want to backup and select ALL TASKS > Export. 7. Click next on the Welcome Screen. 8. Choose Yes, export the private key and then click next.

9. Personal Information Exchange should be selected by default if you choose to export the private key. Check the box Include all certificates in certificate path if possible and click next. Warning: Do not select the delete private key option.

 10 .Type and confirm a password. This password will be needed to import the certificate on another server.

11. Choose a filename to save the certificate to and then click next. 12. Select Finish

 You should receive an "export successful" message. The .pfx file is now saved to the location you selected.

Step 8 - Copy the certificate to server

Copy the exported file to the server it needs to be installed on. Importing from a .pfx File 1. On the Start menu click Run and then type mmc. 2. Click File > Add/Remove Snap-in. 3. Click Certificates > Add. 4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window. 5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder. 6. Right-click on the certificate and select ALL TASKS > Import.

7 .Follow the certificate import wizard to import your primary certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.

Step 9 Update the Certificate

Configure the software to use the new certificate. For IIS 7 follow the instructions below (for IIS 5/6 see the Appendix). For other software, contact the SME for the software to instructions on installing the certificate. Enabling a New Certificate on an Server with IIS 7 1.On the Start menu, click Administrative Tools > Internet Information Services (IIS) Manager. 2.In the IIS Manager, click the server name. 3.Expand the sites folder. 4.Select the site that you want to secure (usually the default website). 5.On the actions menu in the edit site section, click Bindings.

6.In the site bindings window, highlight https and click edit.

 7. Click the Down arrow and choose the new certificate from the listbox.

8.Click OK. Your SSL Certificate is now updated. You may have to restart IIS (World Wide Web Publishing service) for the server for it to recognize the new certificate.

Step 10 Test and Verify

Test the certificate by connecting to the new domain at its https address. In a browser, view the certificate and ensure that the expiration dates are updated and the domain is OK. When you connect, you should not receive any warnings if everything is set up properly. If the certificate is not an IIS certificate, you will need to coordinate with the application owner to install and test the certificate To verify an IIS installed certificate

Connect to the website over ssl (https) with a browser. Click on the lock icon in the address bar and then view certificates. Ensure the valid from dates have been updated.

Appendix A - Certificates on IIS 5/6

Exporting/Backing Up to a .pfx File

1. On the Start menu click Run and then type mmc. 2. Click File > Add/Remove Snap-in.

3. Click Add > Certificates > Add.

4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snapin window. 5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder. 6. Right-click on the certificate you want to backup and select ALL TASKS > Export. 7. Choose Yes, export the private key and include all certificates in certificate path if possible. Warning: Do not select the delete private key option. 8. Leave the default settings and then enter your password if required. 9. Choose to save the file and then click Finish. You should receive an "export successful" message. The .pfx file is now saved to the location you selected.
Importing from a .pfx File

1. 2. 3. 4.

On the Start menu click Run and then type mmc. Click File > Add/Remove Snap-in. Click Add > Certificates > Add. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snapin window. 5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.

6. Right-click on the certificate you want to backup and select ALL TASKS > Import. 7. Follow the certificate import wizard to import your primary certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.
Enabling a New Certificate on a Server

1. On the Start menu, click Administrative Tools > Internet Information Services (IIS) Manager. 2. In the IIS manager, right-click the site that you want to use the certificate for and select Properties. 3. Navigate to Directory Security > Server Certificate. This will start the server certificate wizard. 4. If given the option, choose to Assign an existing certificate to the site and choose the certificate that you just imported. If you do not have that option, you should be asked what you want to do with the current certificate on the site. Choose the option to replace your current certificate. 5. Browse to the .pfx file that you created earlier and then finish the certificate wizard. You may have to restart IIS or the server for it to recognize the new certificate.

Revision History