PKI: Applying Renewed TLS (SSL) Certificate on Internet Information Services (IIS) 7 and Above


This article has not been updated recently and may contain dated material.

This article goes through the steps of implementating a renewed TLS (SSL) certificate for Microsoft Internet Information Services (IIS) version 7 and above.

1. Download the renewed certificate from https://pki.its.lsu.edu and move it to the target server. Download the Certificate Only option.

2. Double click on the downloaded certificate file. Go to the Details tab and click on Serial number. In the information pane, highlight and copy (CTRL + C) the serial number and paste it into notepad. The serial number will be needed later:

Serial number on the Details tab,
 

3. Open the Command Prompt (cmd) as administrator. For Server 2012 and 2012R2, press Windows Key + x then select Command Prompt (Admin) on the popup menu. For Server 2008 and 2008R2, click the Start button and search for cmd. Next, right click on Command Prompt and click on Run as administrator:

Run as adminastrator option
 

NOTE: The Command Prompt must be running as administrator before continuing.

4. In the Command Prompt, type mmc then press Enter.

5. In Microsoft Management Console, click File -> Add/Remove Snap-in...

Add / Remove Snap in option
 

6. In the Add or Remove Snap-ins window, click on Certificates then click the Add button:

Add Certifications on the Snaps window
 

7. Select Computer account then click Next:

computer account fieldbox
 

8. If you're already on the target server, simply click Next:


 

9. Click OK to close the Add or Remove Snap-ins window:

Add or Remove Snap-ins
 

10. Expand Certificates (Local Computer) -> Personal folder, right click on Certificates folder, go to All Tasks, and click on Import...

All tasks command on the drop down
 

11. Click Next on the Certificate Import Wizard welcome screen:

Certificate Import Wizard welcome screen
 

12. Click the Browse button, browse to the location of the downloaded certificate file in step 1, then click Next:

 Browse button on the File to Import screen
 

13. In most cases, take the default option for the certificate store and click Next:

Certificate store window
 

14. Click Finish on the summary window:

Completeting import window
 

15. Back to the Administrator Command Prompt window opened earlier. Type certutil -repairstore my serialnumber Where serialnumber is the serial number of the certificate copied to notepad earlier. Remove all spaces:

Administrator Command Prompt window
 

NOTE: The serial number in the picture above is just an example. Your certificate's serial number will be different.

16. Press Enter. Make sure certutil returns this line: CertUtil:  -repairstore command completed successfully.

CertUtil:  -repairstore command completed successfully message
 

NOTE: If certutil is not successfull, make sure that the serial number is correct and that the certificate is correct for the server.

17. Open Internet Information Services (IIS) Manager. On the left, expand Sites and select the appropriate site. On the right, click Bindings...(1). In the Site Bindings popup window, click on the appropriate port (commonly https 443) (2), then click the Edit(3) button:

Internet Information Services (IIS) Manager
 

18. In the Edit Site Binding dialog box, click on the drop down under SSL certificate and select the certificate that was just imported. If there are multiple certificates, select one and click View... Compare the serial number of the selected certificate with the serial number in step 2 to make sure the correct certificate is selected.

Edit Site Binding dialog box
 

19. Click OK to close the Edit Site Binding dialog box and click Close on the Site Bindings window.

20. On the right hand side and under Manage Web Site, click Restart to restart IIS.

 

18039
12/6/2017 8:36:58 AM