certificate maintenance

7/30/2019 Certificate Maintenance

1/15

Windows ServerCertificate Maintenance


2/15

Contents

Step1-GenerateaCertificateRequest......................................................................................................3

Step2RequesttheCertificate..................................................................................................................4

Step3TheCertificateissubmitted...........................................................................................................4

Step4ReceiveCertificate.........................................................................................................................4

Step5DownloadCertificate.....................................................................................................................4

Step6Addprivatekey..............................................................................................................................4

Step7-ExportCertificatewithPrivateKey.................................................................................................5

Step8-Copythecertificatetoserver.........................................................................................................8

Step9UpdatetheCertificate...................................................................................................................9

Step10TestandVerify...........................................................................................................................10

AppendixA-CertificatesonIIS5/6...........................................................................................................12

Exporting/BackingUptoa.pfxFile....................................................................................................12

Importingfroma.pfxFile..................................................................................................................13

EnablingaNewCertificateonaServer.............................................................................................14

RevisionHistory.........................................................................................................................................15


3/15

Step1-GenerateaCertificateRequest

LogintoaServerwithIIS7(Windows2008R2)installed.ForIIS5/6seeAppendixATheseinstructions

areforIISonWindows2008R2.Itislesscomplicatedifyougeneratethecertificaterequestonthe

serveritwillendupbeingusedonbutsometimestheserverdoesnotrunIISanditisnotrequired.

IntheStartMenuClickAdministrativeToolsandthenInternetInformationServicesManager.

ClickontheservernameintheleftpanelandthendoubleclickServerCertificates

ThenclicktheCreateCertificateRequestlinkontherightasshownbelow.

Entertheinformationexactlyasbelowbutreplacewww.enterprise.comwiththeURLthecertificateis

forthenclicknext.

Changethebitlengthto2048andclicknext.

ChoosealocationtowriteyourrequestfiletoandafilenameandclickFinishtocreatethefile.


4/15

Step2RequesttheCertificate

ContactName/Email(ProcessOwner) PrimaryTechnicalContactName/Email/Company DomainnameforCertificateNotethatyouwillinmostcaseswanttorequest

www.domain.comandnotsimplydomain.comforthecertificate. Typeofwebserversoftware(IIS,Apache,etc.) 1,2,or3yearcertduration(get3yearsifitsaproductioncertificate) Purpose(shortdescription) Numberofserversthecertwillbeusedonthisisimportantforproperlicensing

Step3TheCertificateissubmitted

CertificateAdminteamwillsubmitthecertificaterequest.

Step4ReceiveCertificate

Onceacertificateisgenerated,instructionswillbeemailedtoyoubytheCertificateAdminteamwith

instructionsandalinktodownloadit.

Step5DownloadCertificate

DownloadthePKCS#7certificate(endsinp7B)andcopytotheoriginalwebserveryougeneratediton.

Step6CompleteCertificateRequest

StartInternetServicesManager.ClickontheservernameontheleftandthendoubleclicktheServer

Certificatesicon.


5/15

SelectCompleteCertificateRequestontheright.

ClicktobringuptheOpenwindowsandbrowsetothedirectoryyoustoredthecertificateandselect

it,thenenteritsURLinthefriendlynamefield.(noteyoumayneedtochangethe*.cerintheboxon

thebottomrightoftheOpenwindowsto*.*toseethecertififcateifitsextensionisnot.cer.

ClickOK

Ifyougeneratedthecertificaterequestfromthesameserveryouwillbeinstallingiton,youcanskipto

step8.

Step7-ExportCertificatewithPrivateKey


6/15

Exporting/BackingUptoa.pfxFile

1.OntheStartmenuclickRunandthentypemmc.

2.ClickFile>Add/RemoveSnap-in.

3.ClickCertificates>Add.

4.SelectComputerAccountandthenclickNext.SelectLocalComputerandthenclickFinish.Thenclose

theaddstandalonesnap-inwindowandtheadd/removesnap-inwindow.

5.Clickthe+toexpandthecertificates(localcomputer)consoletreeandlookforthepersonal

directory/folder.Expandthecertificatesfolder.

6.Right-clickonthecertificateyouwanttobackupandselectALLTASKS>Export.

7.ClicknextontheWelcomeScreen.

8.ChooseYes,exporttheprivatekeyandthenclicknext.

9.PersonalInformationExchangeshouldbeselectedbydefaultifyouchoosetoexporttheprivatekey.

ChecktheboxIncludeallcertificatesincertificatepathifpossibleandclicknext.

Warning:Donotselectthedeleteprivatekeyoption.


7/15

10.Typeandconfirmapassword.Thispasswordwillbeneededtoimportthecertificateonanother

server.

11.Chooseafilenametosavethecertificatetoandthenclicknext.

12.SelectFinish


8/15

Youshouldreceivean"exportsuccessful"message.The.pfxfileisnowsavedtothelocationyou

selected.

Step8-Copythecertificatetoserver

Copytheexportedfiletotheserveritneedstobeinstalledon.

Importingfroma.pfxFile

1.OntheStartmenuclickRunandthentypemmc.

2.ClickFile>Add/RemoveSnap-in.3.ClickCertificates>Add.

4.SelectComputerAccountandthenclickNext.SelectLocalComputerandthenclickFinish.Thenclose

theaddstandalonesnap-inwindowandtheadd/removesnap-inwindow.

5.Clickthe+toexpandthecertificates(localcomputer)consoletreeandlookforthepersonal

directory/folder.Expandthecertificatesfolder.

6.Right-clickonthecertificateandselectALLTASKS>Import.


9/15

7.Followthecertificateimportwizardtoimportyourprimarycertificatefromthe.pfxfile.When

prompted,choosetoautomaticallyplacethecertificatesinthecertificatestoresbasedonthetypeof

thecertificate.

Step9UpdatetheCertificate

Configurethesoftwaretousethenewcertificate.

ForIIS7followtheinstructionsbelow(forIIS5/6seetheAppendix).Forothersoftware,contactthe

SMEforthesoftwaretoinstructionsoninstallingthecertificate.

EnablingaNewCertificateonanServerwithIIS7

1.OntheStartmenu,clickAdministrativeTools>InternetInformationServices(IIS)Manager.

2.IntheIISManager,clicktheservername.

3.Expandthesitesfolder.

4.Selectthesitethatyouwanttosecure(usuallythedefaultwebsite).

5.Ontheactionsmenuintheeditsitesection,clickBindings.

6.Inthesitebindingswindow,highlighthttpsandclickedit.


10/15

7.ClicktheDownarrowandchoosethenewcertificatefromthelistbox.

8.ClickOK.YourSSLCertificateisnowupdated.YoumayhavetorestartIIS(WorldWideWebPublishingservice)fortheserverforittorecognizethenewcertificate.

Step10TestandVerify

Testthecertificatebyconnectingtothenewdomainatitshttpsaddress.Inabrowser,viewthe

certificateandensurethatthe expirationdatesareupdated andthedomainisOK.Whenyouconnect,

youshouldnotreceiveanywarningsifeverythingissetupproperly.

IfthecertificateisnotanIIScertificate,youwillneedtocoordinatewiththeapplicationownertoinstall

andtestthecertificate

ToverifyanIISinstalledcertificate


11/15

Connecttothewebsiteoverssl(https)withabrowser.

Clickonthelockiconintheaddressbarandthenviewcertificates.

Ensurethevalidfromdateshavebeenupdated.


12/15

AppendixA-CertificatesonIIS5/6

Exporting/BackingUptoa.pfxFile

1. On the Start menu clickRun and then type mmc.2. ClickFile > Add/Remove Snap-in.

3. ClickAdd > Certificates > Add.


13/15

4. Select Computer Account and then clickNext. Select Local Computer and thenclickFinish. Then close the add standalone snap-in window and the add/remove snap-in window.

5. Click the + to expand the certificates (local computer) console tree and look for thepersonal directory/folder. Expand the certificates folder.

6. Right-click on the certificate you want to backup and select ALL TASKS > Export.7. Choose Yes, export the private key and include all certificates in certificate path if

possible.Warning: Do not select the delete private key option.

8. Leave the default settings and then enter your password if required.9. Choose to save the file and then clickFinish. You should receive an "export

successful" message. The .pfx file is now saved to the location you selected.

Importingfroma.pfxFile

1. On the Start menu clickRun and then type mmc.2. ClickFile > Add/Remove Snap-in.3. ClickAdd > Certificates > Add.4. Select Computer Account and then clickNext. Select Local Computer and then

clickFinish. Then close the add standalone snap-in window and the add/remove snap-in window.

5. Click the + to expand the certificates (local computer) console tree and look for thepersonal directory/folder. Expand the certificates folder.


14/15

6. Right-click on the certificate you want to backup and select ALL TASKS > Import.7. Follow the certificate import wizard to import your primary certificate from the .pfx

file. When prompted, choose to automatically place the certificates in thecertificate stores based on the type of the certificate.

EnablingaNewCertificateonaServer

1. On the Start menu, clickAdministrative Tools > Internet Information Services

(IIS) Manager.2. In the IIS manager, right-click the site that you want to use the certificate for and

select Properties.3. Navigate to Directory Security > Server Certificate. This will start the server

certificate wizard.4. If given the option, choose to Assign an existing certificate to the site and choose the

certificate that you just imported.If you do not have that option, you should be asked what you want to do with the

current certificate on the site. Choose the option to replace your current certificate.5. Browse to the .pfx file that you created earlier and then finish the certificate wizard.

You may have to restart IIS or the server for it to recognize the new certificate.


15/15

RevisionHistory

certificate maintenance

Documents