microsoft iis 7– guide to installing root certificates, generating

Trustis Limited

Building 273 New Greenham Park Greenham Common Thatcham RG19 6HN

E: [email protected] W: www.trustis.com

Registered in England No: 03613613

Microsoft IIS 7– Guide to Installing Root Certificates,

Generating CSR and Installing certificate

Copyright ©

Trustis Limited 2010. All rights reserved.

T-0104-003-AP-001 IIS7 guide - V0.1.docx of 17

© Trustis Limited 2010

Table of Contents

1 Introduction .............................................................................................................. 3

2 Installing the Root & Intermediate Certificates: ......................................................... 3

2.1 Installing the Root CA Certificate ....................................................................... 3

2.2 Installing the Issuing CA Certificate ................................................................... 7

3 Certificate Signing Request (CSR) Generation ......................................................... 8

4 Installing your SSL Server Certificate ..................................................................... 14



1 Introduction This document specifies instructions for Installing the Root and Intermediate certificates, generating your CSR, and Installing your certificate.

2 Installing the Root & Intermediate Certificates:

Firstly, you need to download the CA certificates (both Root CA certificate and Issuing Authority certificate) as individual files

• DER format Root CA certificate – found at http://www.trustis.com/pki/healthcare/ops/fpsroot-der.crt

• DER format Healthcare TT Issuing Authority certificate – found at http://www.trustis.com/pki/healthcare/ops/healthcarett-der.crt

To install these certificates, you must first enable the Certificates Snap-in for the Microsoft Management Console (mmc)

1. Click the Start Button then select Run and type mmc 2. Click File and select Add/Remove Snap in 3. Select Certificates from the Available Snap-ins box and click Add 4. Select Computer Account and click Next 5. Select Local Computer and click Finish 6. Click OK to Close the Add or Remove Snap-ins box 7. Return to the MMC

2.1 Installing the Root CA Certificate

1. Right click the Trusted Root Certification Authorities. Select All Tasks, select Import.



This starts the certificate import wizard



2. Click Next The File to Import dialog is shown

3. Locate the Root CA Certificate file you downloaded earlier and click Next.



4. Click Next to Confirm the location of the Certificate

5. When the wizard is completed, click Finish. Click OK to close the small ‘Import successful’ message.



2.2 Installing the Issuing CA Certificate

1. Right click the Intermediate Certification Authorities. Select All Tasks, select Import.

2. Complete the import wizard again, but this time locating the Issuing CA Certificate when prompted for the Certificate file.

When both certificates have been installed:

• Ensure that the Root CA certificate appears under Trusted Root Certification Authorities

• Ensure that the Issuing CA certificate appears under Intermediate Certification Authorities

Close the MMC



3 Certificate Signing Request (CSR) Generation

A CSR is a file containing your IIS SSL certificate application information, including your Public Key. Generate your CSR and then copy and paste the CSR file into the webform in the enrolment process:

1. Select Administrative Tools 2. Start Internet Information Services (IIS) Manager 3. Click on the Server in the left hand pane. On the right, you should see an icon

called Server Certificates. Double click on this.

4. On the far right of the window, there will appear a set of Actions. Click on Create Certificate Request...



5. A Request Certificate windows will appear. Complete the fields. The Common Name field should be the Fully Qualified Domain Name (FQDN) or the web address for which you plan to use your IIS SSL Certificate, e.g. the area of your site you wish customers to connect to using SSL. For example, an Instant SSL Certificate issued for trustis.com will not be valid for www.trustis.com. If the web address to be used for SSL is www.trustis.com, ensure that the common name submitted in the CSR is www.trustis.com. Click Next.



6. For Cryptographic service provider, choose Microsoft RSA SChannel Cryptographic Provider. For Bit length, choose 2048. Click Next.



7. Enter a filename and location to save your CSR. You will need this CSR to enrol for your IIS SSL Certificate. Click Finish.



8. When you make your application, make sure you include the CSR in its entirety into the appropriate section of the enrolment form - including -----BEGIN CERTIFICATE REQUEST-----to-----END CERTIFICATE REQUEST-----

For example:

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIEgzCCA2sCAQAwezELMAkGA1UEBhMCR0IxETAPBgNVBAgMCE15IFN0YXRlMRAw

DgYDVQQHDAdNeSBDaXR5MRowGAYDVQQKDBFZb3VyIENvbXBhbnkgTmFtZTEMMAoG

A1UECwwDV2ViMR0wGwYDVQQDDBR3d3cubXlkb21haW5uYW1lLmNvbTCCASIwDQYJ

KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOmU8zddVcPQVbgTn1nxZB5y0V+wcbVG

5rZEtw3PubreLkziFH/6MnNThsMST5P0PeUvTz4n0Yn+p0+DuU7qOHPofLjVzGnw

cWFEcNnwnsFjdenf9caFOuotTxYfCYCCghLF2lGpQGBTeBMDK4FKtCrkl+crtBIY

RixV88Fh4EXV27+zU+pLrps4dSb0POy+kN0xMQxIIbX592dB3xGu/52wXUibGDOS

SMGW0wX+9n1PfjdC7oSgr331dMSlE29d7Q1eLGPlPu2tZk6bJ1XWkhkTj4lKhTSM

gVPvsFwcKE3rJ8UQcW19LLlGGK42TYrLP9SXIG2R4SC7Xo0BNsUesV0CAwEAAaCC

AcEwGgYKKwYBBAGCNw0CAzEMFgo2LjEuNzYwMC4yMF0GCSsGAQQBgjcVFDFQME4C

AQUMHVdJTi1DQzJEM1NMN1ExNS50cnVzdGlzLmxvY2FsDB1XSU4tQ0MyRDNTTDdR

MTVcQWRtaW5pc3RyYXRvcgwLSW5ldE1nci5leGUwcgYKKwYBBAGCNw0CAjFkMGIC

AQEeWgBNAGkAYwByAG8AcwBvAGYAdAAgAFIAUwBBACAAUwBDAGgAYQBuAG4AZQBs

ACAAQwByAHkAcAB0AG8AZwByAGEAcABoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgMB

ADCBzwYJKoZIhvcNAQkOMYHBMIG+MA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAK

BggrBgEFBQcDATB4BgkqhkiG9w0BCQ8EazBpMA4GCCqGSIb3DQMCAgIAgDAOBggq

hkiG9w0DBAICAIAwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQME

AQIwCwYJYIZIAWUDBAEFMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBQG

gaFdCuG/t4BwFSG7w+F17xCYXjANBgkqhkiG9w0BAQUFAAOCAQEAz3o65PuPULJh

616mMxFRnlDJSgRiZ28s9Xo9CJSlSiZkvYGGJoHdMvAtn9rzBIZN1PpG+wUaPjpw

o8K89CflbGyFsIswB0yDzfypBwl07HETyZhwLoFQYTa0EFAnNkgAacSTBUeMowb4



GcxdcpV2h7WVHUwOpX49A0SZOD8FIb0Ob5pmuNervoxyU+4UtVMYVnF50sjfzPYY

/i/D2MUKvpPbNO1Rg2Eu+9fqatdt+uoI3H6l8Y+Zj6hi5WfWZB8wak3fgSM41+LZ

T0q/N2WQqZyLp+zSnqeJerNLa4+LmyhpnDOvHtX0xhCdt96lYW4tMlg4ZZtwO8Kd

AEEy8DqPeQ==

-----END NEW CERTIFICATE REQUEST-----

9. Click Next 10. Confirm your details in the enrolment form 11. Finish



4 Installing your SSL Server Certificate

You will receive an email from the Registration Authority when your certificate request has been approved, that contains a link to a location where your certificate may be obtained. Clicking on this link will bring up a browser window that contains the details of your issued certificate and includes a section that looks something like the following:

-----BEGIN CERTIFICATE----- MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAmowggHXAhAF UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNVBAYTAlVTMSAw (.......) E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6 K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA -----END CERTIFICATE-----

Copy everything you see between and including the lines that look like -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

Paste the CSR into an appropriately named text file e.g. myserver.crt

1. Select Administrative Tools 2. Start Internet Information Services (IIS) Manager 3. Click on the Server in the left hand pane. On the right, double click on Server

Certificates.



4. On the far right of the window, there will appear a set of Actions. Click on Complete Certificate Request...



5. Enter the location details and a Friendly Name for the file you just created. Click OK.



You will now see the server certificate in the list of Server Certificates.

microsoft iis 7– guide to installing root certificates, generating

Documents