Main Page
 The gatekeeper of reality is
 quantified imagination.

Stay notified when site changes by adding your email address:

Your Email:

Bookmark and Share
Email Notification
Project SSL
    Purpose
The purpose of this documentation is to provide tips on importing SSL certificates to Windows Server 2008/IIS 7, repairing (when what you receive - as generated by some certificate authorities cause importation errors) and exporting for backup and importing to other servers. Please see the sections below for what you may be interested in; "Creating a CSR", "Importing an SSL Certificate with an Error", "Exporting an SSL Certificate (as PFX)" or "Importing an SSL Certificate (from PFX)".


NOTE: A CA usually has some type of root certificate and/or intermediate that you need to ensure is installed before importing the CER/CRT. The intermediate is a p7b file and is imported via Intermediate Certification Authorities -> Certificates.

Creating a CSR

(Enlarge)
  1. Open Internet Information Services Manager. Under the left side, click on the server name. In the middle section under "IIS", select "Server Certificates".

(Enlarge)
  1. In the right section under "Actions", select "Create Certificate Request".

(Enlarge)
  1. A pane will come up prompting for basic certificate information:
    Common Name = the website's domain name (like www.yoursite.com or *.yoursite.com if you are getting a wildcard)
    Organization = Name or business the certificate will be registered under
    Organizational Unit = Department responsible for the certificate; usually "IT" or something like that
    City/locality = City the business or registered entity is in
    State/province = normally 2 letter state abbreviation of the business or registered entity is in (state abbreviation or full name may vary depending on the CA you use)
    Country/region = Country/region of the business or registered entity is in

(Enlarge)
  1. After clicking "Next" you should see a pane resembling what is shown. Your CA would know which two options to select here for sure, but more than likely the selections may be "Microsoft RSA SChannel Cryptographic Provider" under "Cryptographic service provider" and "2048" for bit length.

(Enlarge)
  1. The next pane will prompt for where to save the CSR. You may want to save it somewhere with an intuitive name like "yoursite-com-CSR.txt". The CSR can then be provided to the CA so the SSL certificate can be generated.


Importing an SSL Certificate with an Error

(Enlarge)
  1. From the IIS manager you attempt to import the SSL certificate (CRT) but you get an importation error to the effect of:
    There was an error while performing this operation.
    Details:
    CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267)

(Enlarge)
  1. Open up the MMC.

(Enlarge)
  1. From Add/Remove Snap-ins select certificates and click "Add >".

(Enlarge)
  1. Select "Computer account" as what the snap-in will always manage certificates for ("always manage" is usually temporary only to the duration of your session).

(Enlarge)
  1. Select "Local computer".

(Enlarge)
  1. Go to the console root.

(Enlarge)
  1. Expand Certificates (Local Computer), Personal and then click on "Certificates".

(Enlarge)
  1. Right-click on "Certificates". Select "Import..." from "All Tasks".

(Enlarge)
  1. NOTE: You don't need to do this step if you're importing an SSL certificate that is okay.
  2. Select the SSL certificate and go to the Details tab. Scroll down to "Thumbprint" and copy the code to the clipboard.
CMD
  1. NOTE: You don't need to do this step if you're importing an SSL certificate that is okay.
  2. Open the command-prompt.
  3. Enter: certutil -repairstore my "{PASTE THE THUMBPRINT CODE HERE}"
  4. When you see "CertUtil: -repairstore command completed successfully" the private key will be associated with the .CRT file in the personal store. The certificate should show up in IIS 7 under Server Certificates (you shouldn't need to import it).
  5. Now you should be able to assign the SSL certificate to the appropriate website(s).


Exporting an SSL Certificate (as PFX)

(Enlarge)
  1. Under the MMC, Console Root, Certificates (Local Computer), Personal, Certificates right-click on the SSL certificate you want to export (so you can import the SSL certificate to other servers or have a file for recovery).
  2. Under All Tasks select "Export..."

(Enlarge)
  1. The Certificate Export Wizard will start.
  2. Click "Next".

(Enlarge)
  1. Under Export Private Key select "Yes, export the private key".

(Enlarge)
  1. Under Export File Format select (1) "Peronal Information Exchange - PKCS #12(.PFX)", (2) "Include all certificates in the certification path if possible", (3) "Export all extended properties".

(Enlarge)
  1. Enter a password; while this password can be anything, bear in mind that this password must be manually entered when importing the PFX to other servers or performing a recovery.

(Enlarge)
  1. Provide the target export location and name of the PFX file.


Importing an SSL Certificate (from PFX)

(Enlarge)
  1. From IIS 7 Manager, under Server Certificates, provide the locaton of the PFX file and enter the password that was entered during the process of exporting the PFX (see previous tutorial).
  2. Be sure to check "Allow this certificate to be exported".

(Enlarge)
  1. Select the website that the SSL certificate should be used under.
  2. Under "Actions" select "Bindings...". This brings up the "Site Bindings" pane.
  3. Add (if not already present) or edit the https Type.
  4. Locate the section "SSL Certificate".

(Enlarge)
  1. Select the imported SSL Certificate and click "OK".

(Enlarge)
  1. Don't get too upset if you get an error message the first time such as:
    There was an error while performing this operation.
    Details:
    A specified login session does not exist. It may already have been terminated.
  2. Click "OK". Scratch your head for a second, wondering what IIS 7 is mumbling about.
  3. Re-open Bindings. Select the https type, edit and add the SSL certificate. It should work just fine the second time.
About Joe