Installing SSL certificates in Microsoft Internet Information Services (IIS)

Article purpose: This article provides step-by-step instructions for installing SSL certificates in Microsoft Internet Information services (IIS) using Key Manager Plus.

If you are an organization dealing with a large number of web applications, deploying SSL certificates for your websites and managing them might be one of your top concerns. Let's go over on how to simplify the process of deploying and managing SSL certificates for your websites using Key Manager Plus.

• Deploying existing SSL certificates to IIS
• Acquiring Microsoft CA signed certificates and deploying them to IIS
• Acquiring trusted third party SSL certificates and deploying them to IIS

Deploying existing SSL certificates to IIS

If you have already purchased SSL certificates, follow the steps below to deploy them in Internet Information Services (IIS) and manage them using Key Manager Plus.

Step 1: Add your certificate to Key Manager Plus repository

To deploy and manage certificates in IIS, you initially have to add your certificates to Key Manager Plus certificate repository. To do that,

• Navigate to SSL → Certificates tab
• Click Add
• In the Add Certificate window that opens, provide the path and click Add
• The certificate gets added to Key Manager Plus certificate repository and you can view it from the SSL → Certificates tab

Step 2: Deploy the certificate to Internet Information Services (IIS)

After adding the certificate to the centralized repository, you have to deploy it to your Windows server. This can directly be done from the Key Manager Plus interface.

To deploy the certificate to IIS,

• Navigate to SSL → Certificates tab
• Select the required certificate and click Deploy
• In the Certificate Deployment window that opens, choose the server type as Internet Information services (IIS)
• Choose the deployment type as single or multiple as per your need
• For single deployment, provide the required details: Server name, user name, password.
• For certificate deployment on multiple servers, upload a .csv file comprising the following details:
  Server name, user name, password
• After providing the details, click Deploy
• The certificate is deployed in Server Certificates of the specified server(s)

(Note: By default, the common name is taken as the certificate file name).

 

Step 3: Bind the certificate to your website

Once the certificate is installed on the required server(s), you have to bind the certificate with your website. To do this,

• Navigate to the domain server
• Open the Internet Information Services (IIS) manager

(In the Windows start menu, click Administrative Tools >> Internet Information Services (IIS) manager)

• In IIS manager, under connections, expand your server name, then expand Sites, and then select the site that you want to secure with the SSL certificate
• In the Actions pane, under edit sites click Bindings
• In the Site Binding window that opens, click Add
• Enter the following information in the Add Site Binding window
  • Type: In the drop-down list, select https.
  • IP address: In the drop-down list, select All unassigned. If your server has multiple IP addresses, select the one that applies.
  • Port: Enter 443, unless you are using a non-standard port for SSL traffic.
  • SSL certificate: In the drop-down list, select the name of the certificate that you just installed.
• After filling in the details, click OK

There you go, your domain is now SSL secured!

Step 4: Manage certificate expiry and notification

After deploying your certificates in IIS, you can manage, monitor, audit and track them for expiry from Key Manager Plus interface.

Click here to try your hand at Key Manager Plus live demo

Acquiring Microsoft CA signed certificates and deploying them to IIS

Follow the steps below to request for certificates from Microsoft CA, deploy and manage them in Internet Information Services (IIS) using Key Manager Plus.

Step 1: Generate Certificate Signing Request (CSR)

The first step is generating a Certificate Signing Request (CSR), which is more like a blue print for the certificate you are going to purchase.

To generate CSR using Key Manager Plus,

• Login to Key Manager Plus and navigate to SSL → Create Csr
• Click Create
• In the Create CSR form that opens, fill in the required details and click Create
• The CSR is saved and you can view it from the SSL → Create Csr tab

Step 2: Request for certificate from Microsoft Certificate Services

After generating CSR, the next step is requesting for certificates from Microsoft Certificate Services. To do this,

• Open Microsoft Active Directory Certificate Services on your server
• In the window that opens, click Request a certificate



• Choose the certificate type as advanced certificate request



• You will be redirected to a certificate request window, where you have to paste the CSR generated earlier, and choose the certificate template as web server



• The certificate is issued and is present in Issued Certificates of Local CA

 

Step 3: Add the certificate to Key Manager Plus repository

After the certificate has been issued by MS Certificate Authority, you have to import the certificate to Key Manager Plus repository. To do this,

• Navigate to Discovery → MS Certificate Store
• Select the type as Local Certificate Authority
• Specify the server name, user name and password of the machine in which the certificate is present
• Click Discover
• The certificates issued by Microsoft Certificate Authority are discovered and imported into Key Manager Plus certificate repository, which can be viewed from SSL → Certificates tab

Then follow the steps 2,3 and 4 as mentioned in the previous case to deploy the certificate to your domain server using Key Manager Plus and bind it to the respective website.

Acquiring trusted third party SSL certificates and deploying them to IIS

Step 1: Generate Certificate Signing Request (CSR)

Follow the same procedure as in the previous case

Step 2: Request for certificate from third party CA

After generating CSR, the next step is requesting for certificates from third party CA. This request is usually submitted to the organization administrator or helpdesk, from where it's taken forward to the required Certificate Authority. To raise requests for certificates from Key Manager Plus,

• Navigate to SSL → Certificate Request
• Click on Add request
• Select the type of request – New certificate or domain addition.
  • New Certificate – Attach a CSR to your request (optional) and a domain name for the new certificate.
  • Add domain – Enter the name of the new domain and select a parent domain from the certificates added to the Key Manager Plus repository.
• Enter the mail addresses to which you would like to send the request and specify the certificate the validity period. These email addresses can be that of an administrator, an intermediary who handles certificate requests, or even that of your help desk software to raise the certificate request as a ticket.
  For eg., admin@keymanagerplus.com, help-desk@manageengine.com.
• Click Additional fields to add additional information such as device name and IP address
• Click the Add Request button to add it to the list of requests in the Certificate Request tab and to send the same to the specified email addresses.

Step 3: Add the certificate to Key Manager Plus repository

The next step is adding the certificate (that has been purchased from external CA through the above certificate request process) to Key Manager Plus centralized certificate repository.

• Navigate to SSL → Certificate Request
• You can see that the request you have raised earlier is in the 'Open' state. Now click Open and in the pop up that opens, attach the certificate obtained from the third party CA, an annotation if you want and click Save & Close.
• The request is closed and at the same time, the certificate is added to the centralized certificate repository
• You can view the certificate by navigating to SSL → Certificates tab
• To keep track of the requests, email is sent to users who raise and close the certificate requests

Then again, follow steps 2,3 and 4 under the first case to deploy the certificate to your domain server using Key Manager Plus and bind it to the respective website.

Go ahead, and give the trial version of Key Manager Plus a shot and write to us for any assistance to keymanagerplus-support@manageengine.com. Click here to download Key Manager Plus.