Using IIS 10 to Create Your CSR

1. In the Windows start menu, type Internet Information Services (IIS) Manager and open it.
2. In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), locate and click the server name.
3. On the server name Home page (center pane), in the IIS section, double-click Server Certificates.
4. On the Server Certificates page (center pane), in the Actions menu (right pane), click the Create Certificate Request… link.
5. In the Request Certificate wizard, on the Distinguished Name Properties page, provide the information specified below and then click Next:Common name:Type the fully-qualified domain name (FQDN) (e.g., www.example.com).Organization:Type your company’s legally registered name (e.g., YourCompany, Inc.).Organizational unit:The name of your department within the organization. Frequently this entry will be listed as “IT”, “Web Security,”or is simply left blank.City/locality:Type the city where your company is legally located.State/province:Type the state/province where your company is legally located.Country:In the drop-down list, select the country where your company is legally located.
6. On the Cryptographic Service Provider Properties page, provide the information below and then click Next.CryptographicIn the drop-down list, select Microsoft RSA SChannel Cryptographic Provider,service provider:unless you have a specific cryptographic provider.Bit length:In the drop-down list select 2048, unless you have a specific reason for opting for larger bit length.
7. On the File Name page, under Specify a file name for the certificate request, click the … box to browse to a location where you want to save your CSR.Note: Remember the filename that you choose and the location to which you save your csr.txt file. If you just enter a filename without browsing to a location, your CSR will end up in C:\Windows\System32.
8. When you are done, click Finish.
9. Use a text editor (such as Notepad) to open the file. Then, copy the text, including the —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—– tags, and paste it into the DigiCert order form.Ready to order your SSL certificateBUY NOWLEARN MORE
10. After you receive your SSL certificate from DigiCert, you can install it.

2. IIS 10: How to Install and Configure Your SSL Certificate on Windows Server 2016

If you have not yet created a CSR and ordered your certificate, see IIS 10: How to Create Your CSR Windows Server 2016.

After we validate and issue your SSL certificate, you need to install it on the Windows 2016 server where the CSR was generated. Then, you need to configure the server to use it.

• (Single Certificate) How to install and configure your SSL certificate
• (Multiple Certificates) How to install and configure your SSL certificates using SNI

(Single Certificate) How to install your SSL certificate and configure the server to use it

Install SSL Certificate

1. On the server where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer) that DigiCert sent to you.
2. In the Windows start menu, type Internet Information Services (IIS) Manager and open it.
3. In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), locate and click the server name.
4. On the server name Home page (center pane), in the IIS section, double-click Server Certificates.
5. On the Server Certificates page (center pane), in the Actions menu (right pane), click the Complete Certificate Request… link.
6. In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, do the following and then click OK:File name containing theClick the … box and browse to and select the .cer filecertificate authority’s response:(e.g., your_domain_com.cer) that DigiCert sent to you. Friendly name:Type a friendly name for the certificate.The friendly name is not part of the certificate; instead, it is used to identify the certificate.We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-digicert-(expiration date).This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name. Select a certificate storeIn the drop-down list, select Web Hosting.for the new certificate:
7. Now that you’ve successfully installed your SSL certificate, you need to assign the certificate to the appropriate site.
8. In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to use the SSL certificate to secure.
9. On the website Home page, in the Actions menu (right pane), under Edit Site, click the Bindings… link.
10. In the Site Bindings window, click Add.
11. In the Add Site Bindings window, do the following and then click OK:Type:In the drop-down list, select https.IP address:In the drop-down list, select the IP address of the site or select All Unassigned.Port:Type port 443. The port over which traffic is secure by SSL is port 443.SSL certificate:In the drop-down list, select your new SSL certificate (e.g., yourdomain.com).
12. Your SSL certificate is now installed, and the website configured to accept secure connections.

(Multiple Certificates) How to install your SSL certificates and configure the server to use them using SNI

This instructions explains how to install multiple SSL certificates and assign them using SNI. The process is split into two parts as follows:

• Installing and Configuring Your First SSL Certificate
• Installing and Configuring All Additional Certificates

Install First SSL Certificate

Do this first set of instructions only once, for the first SSL certificate.

1. On the server where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer) that DigiCert sent to you.
2. In the Windows start menu, type Internet Information Services (IIS) Manager and open it.
3. In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), locate and click the server name.
4. On the server name Home page (center pane), in the IIS section, double-click Server Certificates.
5. On the Server Certificates page (center pane), in the Actions menu (right pane), click the Complete Certificate Request… link.
6. In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, do the following and then click OK:File name containing theClick the … box and browse to and select the .cer filecertificate authority’s response:(e.g., your_domain_com.cer) that DigiCert sent to you. Friendly name:Type a friendly name for the certificate.The friendly name is not part of the certificate; instead, it is used to identify the certificate.We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-digicert-(expiration date).This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name. Select a certificate storeIn the drop-down list, select Web Hosting.for the new certificate:
7. Now that you’ve successfully installed your SSL certificate, you need to assign the certificate to the appropriate site.
8. In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to use the SSL certificate to secure.
9. On the website Home page, in the Actions menu (right pane), under Edit Site, click the Bindings… link.
10. In the Site Bindings window, click Add.
11. In the Add Site Bindings window, do the following and then click OK:Type:In the drop-down list, select https.IP address:In the drop-down list, select the IP address of the site or select All Unassigned.Port:Type port 443. The port over which traffic is secure by SSL is port 443.SSL certificate:In the drop-down list, select your new SSL certificate (e.g., yourdomain.com).
12. Your first SSL certificate is now installed, and the website configured to accept secure connections.

Install Additional SSL Certificates

To install and assign each additional SSL certificate, repeat the steps below, as needed.

1. On the server where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer) that DigiCert sent to you.
2. In the Windows start menu, type Internet Information Services (IIS) Manager and open it.
3. In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), locate and click the server name.
4. On the server name Home page (center pane), in the IIS section, double-click Server Certificates.
5. On the Server Certificates page (center pane), in the Actions menu (right pane), click the Complete Certificate Request… link.
6. In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, do the following and then click OK:File name containing theClick the … box and browse to and select the .cer filecertificate authority’s response:(e.g., your_domain_com.cer) that DigiCert sent to you. Friendly name:Type a friendly name for the certificate.The friendly name is not part of the certificate; instead, it is used to identify the certificate.We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-digicert-(expiration date).This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name. Select a certificate storeIn the drop-down list, select Web Hosting.for the new certificate:
7. Now that you’ve successfully installed your SSL certificate, you need to assign the certificate to the appropriate site.
8. In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to use the SSL certificate to secure.
9. On the website Home page, in the Actions menu (right pane), under Edit Site, click the Bindings… link.
10. In the Site Bindings window, click Add.
11. In the Add Site Bindings window, do the following and then click OK:Type:In the drop-down list, select https.IP address:In the drop-down list, select the IP address of the site or select All Unassigned.Port:Type port 443. The port over which traffic is secure by SSL is port 443.Host name:Type the host name that you want to secure.Require ServerAfter you enter the host name, check this box.Name Indication:This is required for all additional certificates/sites, after you’ve installed the first certificate and secured the primary site.SSL certificate:In the drop-down list, select an additional SSL certificate (e.g., yourdomain2.com).
12. You have successfully installed another SSL certificate and configured the website to accept secure connections.

Test Installation

Convert your .crt file to a .cer file

1. Locate your downloaded .crt file, and double-click to open it.
2. Select the Details tab, and then the Copy to File button.
3. Select Next in the Certificate Wizard.
4. Select Base-64 encoded X.509(.CER) and then select Next.
5. Select Browse, locate where you want to save your .CER file, and type in a name for your certificate.
6. Select Next and then Finished.

Copy your certificate files onto the server

7. Find the directory on your server where certificate and key files are stored, then upload your intermediate certificate (gd_iis_intermediates.p7b or similar) and primary certificate (.cer file that you just converted) into that folder.

Add a Certificate Snap-in to the Microsoft Management Console (MMC)

8. Click on your Start Menu, then click Run.
9. In the prompt, type mmc and click OK.
10. Click File, then click Add/Remove Snap-in.
11. On the new window, click the Add button.
12. On the new window, select Certificates and click Add.
13. Select Computer account for the snap-in and click Next.
14. Click Local computer and click Finish.
15. Click Close on the Add Standalone Snap-in window.
16. Click OK on the Add/Remove Snap-in window.

Import the Intermediate SSL Certificate

17. In the MCC Console, click ▸ to expand Certificates (Local Computer).
18. Right click on the Intermediate Certification Authorities folder, hover over All Tasks and click Import.
19. On the new window, click Next.
20. Click Browse, find your gd_iis_intermediates.p7b intermediate certificate file and click Open.
21. Click Next, verify that the certificate information is proper and click Finish.
22. Close the the import was successful notification.

Install your SSL certificate

23. Click on your Start Menu, then click Run.
24. In the prompt, type inetmgr and click OK to launch the Internet Information Services (IIS) Manager.
25. Under the Connections panel on the left, click on your Server Name.
26. In the main panel under the IIS section, double click on Server Certificates.
27. Under the Actions panel on the right, click Complete Certificate Request.
28. On the new window, click … to browse, find your previously uploaded primary certificate file and click Open.
29. Add a Friendly name to easily identify this certificate in the future.
30. In the certificate store option, select Web Hosting and click OK.

Bind the SSL certificate

31. Under the Connections panel on the left, click ▸ to expand the Sites folder.
32. Click the Site Name that you plan to install the SSL certificate onto.
33. Under the Actions panel on the right, find the Edit Site section and click Bindings.
34. On the new window, click Add and fill out the following information:
    • Type: select https.
    • IP Address: select All Unassigned.
    • Port: type in 443.
    • Host name: leave this empty.
    • SSL Certificate: select your recently installed SSL.
35. Click OK to confirm, then Close for the Site Bindings window.

Restart IIS

36. Under the Actions panel on the right, find the Manage Website section and click Restart.

• Download and install the IIS URL Rewrite module, then launch IIS Manager.

• Select the website you want to apply redirection to, then double-click URL Rewrite.

• Click Add Rule(s)…

• Select Blank rule in the Inbound rules section, then click the OK button.

• Give your redirect an easy-to-remember name.

• In the Matched URL section:
  • Set Requested URL: to Matches the Pattern.
  • Set Using to Regular Expressions.
  • Enter (.*) as the Pattern.
  • Check Ignore case.

• Scroll down to Conditions and expand the section if necessary. Select Match All for Logical grouping, then click the Add… button.

• A dialog box will open:
  • Type {HTTPS} in the Condition input field.
  • Set Check if input string to Matches the Pattern.
  • Type ^OFF$ in the Pattern field.
  • Check Ignore case.
  • Click the OK button.

• You should now see your condition in the list.

• Scroll down to the Action section and enter these settings:
  • Select Redirect as the Action type.
  • Type https://{HTTP_HOST}/{REQUEST_URI} in the Rewrite URL field.
  • Uncheck Append query string.
  • Set Redirect type to Permanent (301).

• Click Apply in the right-hand Actions menu.

• You can now check your redirect in a web browser. If there are any problems, you can check the site’s web.config file to make sure it contains the correct information. In IIS Manager, right-click your site and choose Explore from the menu.

• Confirm that the file web.config exists, then open it in a text editor.