Article Reference: https://www.digicert.com/kb/csr-ssl-installation/iis-8-and-8.5.htm
IIS 8 and IIS 8.5: Create CSR and Install SSL Certificate
Creating a CSR and installing your SSL Certificate on Windows Server 2012
Use the instructions on this page to create your certificate signing request (CSR) and then to install your SSL certificate in IIS 8 on Windows Server 2012 or IIS 8.5 on Windows Server 2012 R2.
- To create your CSR, see IIS 8 and IIS 8.5: How to Create Your CSR on Windows Server 2012.
- To install your SSL certificate, see IIS 8 and IIS 8.5: How to Install and Configure Your SSL Certificate on Windows Server 2012.
If you are looking for a simpler way to create CSRs and install and manage your SSL Certificates, we recommend using the DigiCert® Certificate Utility for Windows. You can use the DigiCert Utility to generate your CSR and install your SSL certificate. See Windows Server 2012: Create CSR & Install SSL Certificate with DigiCert Utility.
Step 1: Create Your CSR in IIS 8 or IIS 8.5 on Windows Server 2012
-
From the Start screen, find Internet Information Services (IIS) Manager and open it.
-
In the Connections pane, locate and click the server.
-
In the server Home page (center pane) under the IIS section, double-click Server Certificates.
-
In the Actions menu (right pane), click Create Certificate Request.
-
In the Request Certificate wizard, on the Distinguished Name Properties page, provide the information specified below and then click Next.
Common name: The fully-qualified domain name (FQDN) (e.g., www.example.com). Organization: Your company’s legally registered name (e.g., YourCompany, Inc.). Organizational unit: The name of your department within the organization. This entry will usually be listed as "IT", "Web Security", or is simply left blank. City/locality: The city where your company is legally located. State/province: The state/province where your company is legally located. Country/region: The country/region where your company is legally located. Use the drop-down list to select your country. -
On the Cryptographic Service Provider Properties page, provide the information specified below and then click Next.
Cryptographic service provider: In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider (unless you have a specific cryptographic provider). Bit length: In the drop-down list, select 2048 (unless you have a specific reason for using a larger bit length). -
On the File Name page, under Specify a file name for the certificate request, click the … button to specify a save location for your CSR.
Note: Remember the filename and save location of your CSR file. If you enter a filename without specifying a location, your CSR will be saved to C:\Windows\System32.
-
When you are done, click Finish.
-
Open the CSR file using a text editor (such as Notepad), then copy the text (including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags) and paste it into the DigiCert order form.
-
After you receive your SSL certificate from DigiCert, you can install it.
Step 2: Install and Configure Your SSL Certificate in IIS 8 or IIS 8.5 on Windows Server 2012
If you have not yet created a CSR and ordered your certificate, see IIS 8 and IIS 8.5: How to Create Your CSR on Windows Server 2012.
After we validate and issue your SSL certificate, you need to install it on the Windows 2012 server where the CSR was generated. Then, you need to configure the server to use it.
- (Single Certificate) How to install and configure your SSL certificate
- (Multiple Certificates) How to install and configure your SSL certificate using SNI
(Single Certificate) How to install your SSL certificate and configure the server to use it
Install Your SSL Certificate
-
On the server where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer) that you received from DigiCert.
-
From the Start screen, find Internet Information Services (IIS) Manager and open it.
-
In the Connections pane, locate and click the server.
-
In the server Home page (center pane) under the IIS section, double-click Server Certificates.
-
In the Actions menu (right pane), click Complete Certificate Request.
-
In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, provide the following information:
File name containing the certificate authority's response: Click the … button to locate the .cer file you received from DigiCert
(e.g., your_domain_com.cer).Friendly name: Type a friendly name for the certificate. This is not part of the certificate; instead, it is used to identify the certificate.
Note: We recommend that you add the issuing CA (e.g., DigiCert) and the expiration date to the end of your friendly name; for example, yoursite-digicert-(expiration date). Doing this helps identify the issuer and expiration date for each certificate and also helps distinguish multiple certificates with the same domain name.Select a certificate store for the new certificate: In the drop-down list, select Personal. -
Click OK to install the certificate.
-
Now that you've successfully installed your SSL certificate, you need to configure your site to use it.
Assign Your SSL Certificate
-
In Internet Information Services (IIS) Manager, in the Connections pane, expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to secure using the SSL certificate.
-
In the Actions menu (right pane), click Bindings.
-
In the Site Bindings window, click Add.
-
In the Add Site Binding window, do the following and then click OK.
Type: In the drop-down list, select https. IP address: In the drop-down list, select the IP address of the site or select All Unassigned. Port: Type 443. (SSL uses port 443 to secure traffic.) SSL certificate: In the drop-down list, select your new SSL certificate (e.g., yourdomain.com). -
Your SSL certificate is now installed, and the website is configured to accept secure connections.
Note: To enable your SSL certificate for use on other Windows servers, see PFX export instructions.
(Multiple Certificates) How to install your SSL certificates and configure the server to use them using SNI
These instructions explains how to install multiple SSL certificates and assign them using SNI. The process is split into two parts as follows:
Install First SSL Certificate
Do this first set of instructions only once (for the first SSL certificate).
-
On the server where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer) that you received from DigiCert.
-
From the Start screen, find Internet Information Services (IIS) Manager and open it.
-
In the Connections pane, locate and click the server.
-
In the server Home page (center pane) under the IIS section, double-click Server Certificates.
-
In the Actions menu (right pane), click Complete Certificate Request.
-
In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, provide the following information:
File name containing the certificate authority's response: Click the … button to locate the .cer file you received from DigiCert
(e.g., your_domain_com.cer).Friendly name: Type a friendly name for the certificate. This is not part of the certificate; instead, it is used to identify the certificate.
Note: We recommend that you add the issuing CA (e.g., DigiCert) and the expiration date to the end of your friendly name; for example, yoursite-digicert-(expiration date). Doing this helps identify the issuer and expiration date for each certificate and also helps distinguish multiple certificates with the same domain name.Select a certificate store for the new certificate: In the drop-down list, select Web Hosting. -
Click OK to install the certificate.
Note: There is a known issue in IIS 8 where clicking OK throws a Failed to remove the certificate error. If this is the same server that you generated the CSR on, the error can usually be ignored. Simply click OK and press F5 to refresh the list of server certificates. If the new certificate appears in the list, then it was installed successfully; however, you may want to make sure the certificate is also in the Web Hosting certificate store. If the certificate does not appear in the Web Hosting certificate store, you can manually move it there (see Move Certificate to Another Certificate Store).
If the certificate does not appear on the list after refreshing, you will need to reissue your certificate using a new CSR (see IIS 8 and IIS 8.5: How to Create Your CSR on Windows Server 2012). After creating a new CSR, you will need to re-key your certificate. -
Now that you've successfully installed your SSL certificate, you need to configure your site to use it.
-
In Internet Information Services (IIS) Manager, in the Connections pane, expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to secure using the SSL certificate.
-
In the Actions menu (right pane), click Bindings.
-
In the Site Bindings window, click Add.
-
In the Add Site Binding window, do the following and then click OK.
Type: In the drop-down list, select https. IP address: In the drop-down list, select the IP address of the site or select All Unassigned. Port: Type 443. (SSL uses port 443 to secure traffic.) SSL certificate: In the drop-down list, select the SSL certificate you installed in Step 7 (e.g., yourdomain.com). -
Your first SSL certificate is now installed, and the website is configured to accept secure connections.
Install Additional SSL Certificates
To install and assign each additional SSL certificate, repeat the steps below (as needed).
-
On the server where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer) that you received from DigiCert.
-
From the Start screen, find Internet Information Services (IIS) Manager and open it.
-
In the Connections pane, locate and click the server.
-
In the server Home page (center pane) under the IIS section, double-click Server Certificates.
-
In the Actions menu (right pane), click Complete Certificate Request.
-
In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, provide the following information:
File name containing the certificate authority's response: Click the … button to locate the .cer file you received from DigiCert
(e.g., your_domain_com.cer).Friendly name: Type a friendly name for the certificate. This is not part of the certificate; instead, it is used to identify the certificate.
Note: We recommend that you add the issuing CA (e.g., DigiCert) and the expiration date to the end of your friendly name; for example, yoursite-digicert-(expiration date). Doing this helps identify the issuer and expiration date for each certificate and also helps distinguish multiple certificates with the same domain name.Select a certificate store for the new certificate: In the drop-down list, select Web Hosting. -
Click OK to install the certificate.
-
Now that you've successfully installed your SSL certificate, you need to configure your site to use it.
-
In Internet Information Services (IIS) Manager, in the Connections pane, expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to secure using the SSL certificate.
-
In the Actions menu (right pane), click Bindings.
-
In the Site Bindings window, click Add.
-
In the Add Site Binding window, do the following and then click OK.
Type: In the drop-down list, select https. IP address: In the drop-down list, select the IP address of the site or select All Unassigned. Port: Type 443. (SSL uses port 443 to secure traffic.) Host name: Type the host name that you want to secure. Require server name indication: Select this checkbox after you enter the host name.
Note: This option is required for any additional certificates/sites after installing the first certificate on the primary site.SSL certificate: In the drop-down list, select the SSL certificate you installed in Step 7 (e.g., yourdomain.com). -
You have successfully installed another SSL certificate and configured the website to accept secure connections.
Test Installation
If your website is publicly accessible, our DigiCert® SSL Installation Diagnostic Tool can help you diagnose common problems.