certificate maintenance
TRANSCRIPT
-
7/30/2019 Certificate Maintenance
1/15
Windows ServerCertificate Maintenance
-
7/30/2019 Certificate Maintenance
2/15
Contents
Step1-GenerateaCertificateRequest......................................................................................................3
Step2RequesttheCertificate..................................................................................................................4
Step3TheCertificateissubmitted...........................................................................................................4
Step4ReceiveCertificate.........................................................................................................................4
Step5DownloadCertificate.....................................................................................................................4
Step6Addprivatekey..............................................................................................................................4
Step7-ExportCertificatewithPrivateKey.................................................................................................5
Step8-Copythecertificatetoserver.........................................................................................................8
Step9UpdatetheCertificate...................................................................................................................9
Step10TestandVerify...........................................................................................................................10
AppendixA-CertificatesonIIS5/6...........................................................................................................12
Exporting/BackingUptoa.pfxFile....................................................................................................12
Importingfroma.pfxFile..................................................................................................................13
EnablingaNewCertificateonaServer.............................................................................................14
RevisionHistory.........................................................................................................................................15
-
7/30/2019 Certificate Maintenance
3/15
Step1-GenerateaCertificateRequest
LogintoaServerwithIIS7(Windows2008R2)installed.ForIIS5/6seeAppendixATheseinstructions
areforIISonWindows2008R2.Itislesscomplicatedifyougeneratethecertificaterequestonthe
serveritwillendupbeingusedonbutsometimestheserverdoesnotrunIISanditisnotrequired.
IntheStartMenuClickAdministrativeToolsandthenInternetInformationServicesManager.
ClickontheservernameintheleftpanelandthendoubleclickServerCertificates
ThenclicktheCreateCertificateRequestlinkontherightasshownbelow.
Entertheinformationexactlyasbelowbutreplacewww.enterprise.comwiththeURLthecertificateis
forthenclicknext.
Changethebitlengthto2048andclicknext.
ChoosealocationtowriteyourrequestfiletoandafilenameandclickFinishtocreatethefile.
-
7/30/2019 Certificate Maintenance
4/15
Step2RequesttheCertificate
ContactName/Email(ProcessOwner) PrimaryTechnicalContactName/Email/Company DomainnameforCertificateNotethatyouwillinmostcaseswanttorequest
www.domain.comandnotsimplydomain.comforthecertificate. Typeofwebserversoftware(IIS,Apache,etc.) 1,2,or3yearcertduration(get3yearsifitsaproductioncertificate) Purpose(shortdescription) Numberofserversthecertwillbeusedonthisisimportantforproperlicensing
Step3TheCertificateissubmitted
CertificateAdminteamwillsubmitthecertificaterequest.
Step4ReceiveCertificate
Onceacertificateisgenerated,instructionswillbeemailedtoyoubytheCertificateAdminteamwith
instructionsandalinktodownloadit.
Step5DownloadCertificate
DownloadthePKCS#7certificate(endsinp7B)andcopytotheoriginalwebserveryougeneratediton.
Step6CompleteCertificateRequest
StartInternetServicesManager.ClickontheservernameontheleftandthendoubleclicktheServer
Certificatesicon.
-
7/30/2019 Certificate Maintenance
5/15
SelectCompleteCertificateRequestontheright.
ClicktobringuptheOpenwindowsandbrowsetothedirectoryyoustoredthecertificateandselect
it,thenenteritsURLinthefriendlynamefield.(noteyoumayneedtochangethe*.cerintheboxon
thebottomrightoftheOpenwindowsto*.*toseethecertififcateifitsextensionisnot.cer.
ClickOK
Ifyougeneratedthecertificaterequestfromthesameserveryouwillbeinstallingiton,youcanskipto
step8.
Step7-ExportCertificatewithPrivateKey
-
7/30/2019 Certificate Maintenance
6/15
Exporting/BackingUptoa.pfxFile
1.OntheStartmenuclickRunandthentypemmc.
2.ClickFile>Add/RemoveSnap-in.
3.ClickCertificates>Add.
4.SelectComputerAccountandthenclickNext.SelectLocalComputerandthenclickFinish.Thenclose
theaddstandalonesnap-inwindowandtheadd/removesnap-inwindow.
5.Clickthe+toexpandthecertificates(localcomputer)consoletreeandlookforthepersonal
directory/folder.Expandthecertificatesfolder.
6.Right-clickonthecertificateyouwanttobackupandselectALLTASKS>Export.
7.ClicknextontheWelcomeScreen.
8.ChooseYes,exporttheprivatekeyandthenclicknext.
9.PersonalInformationExchangeshouldbeselectedbydefaultifyouchoosetoexporttheprivatekey.
ChecktheboxIncludeallcertificatesincertificatepathifpossibleandclicknext.
Warning:Donotselectthedeleteprivatekeyoption.
-
7/30/2019 Certificate Maintenance
7/15
10.Typeandconfirmapassword.Thispasswordwillbeneededtoimportthecertificateonanother
server.
11.Chooseafilenametosavethecertificatetoandthenclicknext.
12.SelectFinish
-
7/30/2019 Certificate Maintenance
8/15
Youshouldreceivean"exportsuccessful"message.The.pfxfileisnowsavedtothelocationyou
selected.
Step8-Copythecertificatetoserver
Copytheexportedfiletotheserveritneedstobeinstalledon.
Importingfroma.pfxFile
1.OntheStartmenuclickRunandthentypemmc.
2.ClickFile>Add/RemoveSnap-in.3.ClickCertificates>Add.
4.SelectComputerAccountandthenclickNext.SelectLocalComputerandthenclickFinish.Thenclose
theaddstandalonesnap-inwindowandtheadd/removesnap-inwindow.
5.Clickthe+toexpandthecertificates(localcomputer)consoletreeandlookforthepersonal
directory/folder.Expandthecertificatesfolder.
6.Right-clickonthecertificateandselectALLTASKS>Import.
-
7/30/2019 Certificate Maintenance
9/15
7.Followthecertificateimportwizardtoimportyourprimarycertificatefromthe.pfxfile.When
prompted,choosetoautomaticallyplacethecertificatesinthecertificatestoresbasedonthetypeof
thecertificate.
Step9UpdatetheCertificate
Configurethesoftwaretousethenewcertificate.
ForIIS7followtheinstructionsbelow(forIIS5/6seetheAppendix).Forothersoftware,contactthe
SMEforthesoftwaretoinstructionsoninstallingthecertificate.
EnablingaNewCertificateonanServerwithIIS7
1.OntheStartmenu,clickAdministrativeTools>InternetInformationServices(IIS)Manager.
2.IntheIISManager,clicktheservername.
3.Expandthesitesfolder.
4.Selectthesitethatyouwanttosecure(usuallythedefaultwebsite).
5.Ontheactionsmenuintheeditsitesection,clickBindings.
6.Inthesitebindingswindow,highlighthttpsandclickedit.
-
7/30/2019 Certificate Maintenance
10/15
7.ClicktheDownarrowandchoosethenewcertificatefromthelistbox.
8.ClickOK.YourSSLCertificateisnowupdated.YoumayhavetorestartIIS(WorldWideWebPublishingservice)fortheserverforittorecognizethenewcertificate.
Step10TestandVerify
Testthecertificatebyconnectingtothenewdomainatitshttpsaddress.Inabrowser,viewthe
certificateandensurethatthe expirationdatesareupdated andthedomainisOK.Whenyouconnect,
youshouldnotreceiveanywarningsifeverythingissetupproperly.
IfthecertificateisnotanIIScertificate,youwillneedtocoordinatewiththeapplicationownertoinstall
andtestthecertificate
ToverifyanIISinstalledcertificate
-
7/30/2019 Certificate Maintenance
11/15
Connecttothewebsiteoverssl(https)withabrowser.
Clickonthelockiconintheaddressbarandthenviewcertificates.
Ensurethevalidfromdateshavebeenupdated.
-
7/30/2019 Certificate Maintenance
12/15
AppendixA-CertificatesonIIS5/6
Exporting/BackingUptoa.pfxFile
1. On the Start menu clickRun and then type mmc.2. ClickFile > Add/Remove Snap-in.
3. ClickAdd > Certificates > Add.
-
7/30/2019 Certificate Maintenance
13/15
4. Select Computer Account and then clickNext. Select Local Computer and thenclickFinish. Then close the add standalone snap-in window and the add/remove snap-in window.
5. Click the + to expand the certificates (local computer) console tree and look for thepersonal directory/folder. Expand the certificates folder.
6. Right-click on the certificate you want to backup and select ALL TASKS > Export.7. Choose Yes, export the private key and include all certificates in certificate path if
possible.Warning: Do not select the delete private key option.
8. Leave the default settings and then enter your password if required.9. Choose to save the file and then clickFinish. You should receive an "export
successful" message. The .pfx file is now saved to the location you selected.
Importingfroma.pfxFile
1. On the Start menu clickRun and then type mmc.2. ClickFile > Add/Remove Snap-in.3. ClickAdd > Certificates > Add.4. Select Computer Account and then clickNext. Select Local Computer and then
clickFinish. Then close the add standalone snap-in window and the add/remove snap-in window.
5. Click the + to expand the certificates (local computer) console tree and look for thepersonal directory/folder. Expand the certificates folder.
-
7/30/2019 Certificate Maintenance
14/15
6. Right-click on the certificate you want to backup and select ALL TASKS > Import.7. Follow the certificate import wizard to import your primary certificate from the .pfx
file. When prompted, choose to automatically place the certificates in thecertificate stores based on the type of the certificate.
EnablingaNewCertificateonaServer
1. On the Start menu, clickAdministrative Tools > Internet Information Services
(IIS) Manager.2. In the IIS manager, right-click the site that you want to use the certificate for and
select Properties.3. Navigate to Directory Security > Server Certificate. This will start the server
certificate wizard.4. If given the option, choose to Assign an existing certificate to the site and choose the
certificate that you just imported.If you do not have that option, you should be asked what you want to do with the
current certificate on the site. Choose the option to replace your current certificate.5. Browse to the .pfx file that you created earlier and then finish the certificate wizard.
You may have to restart IIS or the server for it to recognize the new certificate.
-
7/30/2019 Certificate Maintenance
15/15
RevisionHistory