Justin Cooney

Web Development Tips and Examples

recent posts

about

I am a Senior Applications Programmer / Analyst with years of experience developing enterprise solutions using the Microsoft technology stack including C#, VB.NET, ASP.NET, AJAX, IIS and SQL Server. I specialize in Web application development with a focus on building secure systems, integrating applications, and designing robust database structures.

Notes: Renewing an Entrust Server Certificate on Windows IIS

This is an article that is more or less just for me to remember the steps involved in renewing an Entrust certificate for a Web site in IIS. I think the process should be pretty much the same for other providers, but this is specific to enabling https for a Web site in IIS on a Windows server.

There are a hundred sites out there that outline the process in detail and with screen captures, but for some reason I didn’t easily understand the end-to-end steps so I’m listing the process and steps as I understand them.

The main steps are two-fold:

  1. First you’ll need to generate a certificate signing request in IIS
  2. Secondly you’ll get a certificate zip file back that you’ll need to install on your server and register with your site in IIS.

Generate a certificate signing request (CSR) in IIS

  1. Log into your server with an admin-level account
  2. Open up IIS manager
  3. Right click on the name of your server
  4. In the central options window under the section “IIS” you should see an option called “Server Certificates
  5. Double click “Server Certificates
  6. In the right-most options bar you should see a list of “Actions
  7. Click the action to “Create Certificate Request
  8. You’ll need to fill out the options, they are fairly self-explanatory:
    • Common Name: add the URL… aka the FQDN (Fully Qualified Domain Name) of the site you would like a certificate for. So for example: example.com
    • Organization: the name of the business the site is registered to
    • Organizational Unit: The department in the business that will own the site: so for example: IT
    • City, State, Country … these are reasonably self-explanatory, just don’t abbreviate
    • Next select the Cryptographic service provider and Bit Length. Advised at this time are: “Microsoft RSA SChannel Cryptographic Provider” and Bit Length=2048
  9. Finally choose where to save your CSR as a .txt file.
  10. At this point you should submit the CSR to request the SSL certificate.
  11. To start, log into your Entrust account.
  12. Then open the CSR .txt file that you just created in notepad and copy and paste all of the text inside including the —-BEGIN NEW CERTIFICATE REQUEST—- … ABC —-END CERTIFICATE REQUEST—-
  13. Once approved, you’ll be sent a .zip file containing the new certificates that you will need to register, which is outlined in the steps in the section below.

Installing the new certificates on your server and registering with your site in IIS

Now that you’ve god the zip file with the certificates to install on your server it’s time to register them on the server.

  1. First unzip your files to a folder. There should be three files:
    • ServerCertificate.crt
    • Intermediate.crt
    • Root.crt
  2. You’ll need to register all of these. First you’ll want to register Root.crt and Intermediate.crt with the mmc.exe certificate snap-in and then you’ll need to register ServerCertificate.crt with IIS.

Registering Root.crt and Intermediate.crt with the mmc.exe certificate snap-in

Start up certificate management in mmc.exe

  1. Click the Start button then Search and then type mmc.exe
  2. You will see the MMC.exe Window appear
  3. On the top menu bar click File
  4. Then click “Add/Remove Snap-in
  5. Highlight “Certificates” under “Available snap-ins
  6. Click the “Add>” button to add this feature
  7. Change the selected option to “Computer account
  8. Click “Next” and then leave the “Local Computer” option selected
  9. Click the “Finish” button and click “Ok

Register Root.crt

  1. Expand the “Certificates” node
  2. Right click “Trusted root certification authorities
  3. Choose “All tasks” and “Import
  4. Click “Next” since you can’t change anything on the popup screen
  5. Click the “Browse” button and upload root.crt
  6. You should see a popup saying “Import Success

Register Intermediate.crt

  1. Still in the certificates management MMC.exe snap-in
  2. Right-click “Intermediate Certification Authorities
  3. Choose “All tasks” and “Import
  4. Click “Next” since you can’t change anything on the popup screen
  5. Click the “Browse” button and upload Intermediate.crt
  6. You should see a popup saying “Import Success

Register ServerCertificate.crt

Now is where you will register the ServerCertificate.crt file with IIS and bind it to your Web site so that it can serve up https requests.

  1. Open IIS
  2. Click on the server name and then click on “Server Certificates
  3. Under “Actions” click “Complete Certificate Request
  4. In the popup it asks you to “Specify Certificate Authority Response
  5. Most importantly, click the “” button and point to the “Server Certificates” file
  6. Enter a “Friendly Name” This won’t affect the certificate, it is a way for you to identify the correct certificate when you are binding your site in IIS. I would suggest a descriptive name that includes the date
  7. Leave the “Certificate store” dropdown as set to “Personal
  8. Click “Ok” and your certificate should be registered with IIS now.
  9. Still in IIS click on the site that you’d like to register to use the new certificate
  10. Click on the “Bindings” option on the right-most menu
  11. Select the HTTPS binding you want to modify and click the “Edit” button (or click to “Add” if this certificate is a new addition)
  12. In the edit screen there will be a dropdown that has the existing available certificates. These are listed by “Friendly name” that you entered earlier while registering your certificate in IIS. This is why it’s important to give your certificate a descriptive friendly name that also includes the date, so that you can best identify which one to choose in this dropdown.

So to sum up: these are the steps to manage Entrust certificates in IIS and enable https for your site. I hope the process goes smoothly, good luck!

Random warnings I found out the hard way:

It seems that in the MMC.exe snap in, the certificates are registered under the “Personal” section. Some guides say to register your certificate here in the MMC, but this is wrong and you should do this through IIS. Also if you have an error installing with IIS you may see a warning that you cannot install the same certificate twice. In that case you will need to manually uninstall the incorrectly registered certificate from the “Personal” section in the MMC.exe certificates section. You’ll probably not have to deal with this, but I just thought that I’d mention it.

Posted in , , , , ,

Leave a comment