microsoft iis 7– guide to installing root certificates, … · · 2015-01-22microsoft iis 7–...
TRANSCRIPT
Trustis Limited
Building 273 New Greenham Park Greenham Common Thatcham RG19 6HN
E: [email protected] W: www.trustis.com
Registered in England No: 03613613
Microsoft IIS 7– Guide to Installing Root Certificates,
Generating CSR and Installing certificate
Copyright ©
Trustis Limited 2010. All rights reserved.
T-0104-003-AP-001 IIS7 guide - V0.1.docx Page 2 of 17
© Trustis Limited 2010
Table of Contents
1 Introduction .............................................................................................................. 3
2 Installing the Root & Intermediate Certificates: ......................................................... 3
2.1 Installing the Root CA Certificate ....................................................................... 3
2.2 Installing the Issuing CA Certificate ................................................................... 7
3 Certificate Signing Request (CSR) Generation ......................................................... 8
4 Installing your SSL Server Certificate ..................................................................... 14
T-0104-003-AP-001 IIS7 guide - V0.1.docx Page 3 of 17
© Trustis Limited 2010
1 Introduction This document specifies instructions for Installing the Root and Intermediate certificates, generating your CSR, and Installing your certificate.
2 Installing the Root & Intermediate Certificates:
Firstly, you need to download the CA certificates (both Root CA certificate and Issuing Authority certificate) as individual files
• DER format Root CA certificate – found at http://www.trustis.com/pki/healthcare/ops/fpsroot-der.crt
• DER format Healthcare TT Issuing Authority certificate – found at http://www.trustis.com/pki/healthcare/ops/healthcarett-der.crt
To install these certificates, you must first enable the Certificates Snap-in for the Microsoft Management Console (mmc)
1. Click the Start Button then select Run and type mmc 2. Click File and select Add/Remove Snap in 3. Select Certificates from the Available Snap-ins box and click Add 4. Select Computer Account and click Next 5. Select Local Computer and click Finish 6. Click OK to Close the Add or Remove Snap-ins box 7. Return to the MMC
2.1 Installing the Root CA Certificate
1. Right click the Trusted Root Certification Authorities. Select All Tasks, select Import.
T-0104-003-AP-001 IIS7 guide - V0.1.docx Page 4 of 17
© Trustis Limited 2010
This starts the certificate import wizard
T-0104-003-AP-001 IIS7 guide - V0.1.docx Page 5 of 17
© Trustis Limited 2010
2. Click Next The File to Import dialog is shown
3. Locate the Root CA Certificate file you downloaded earlier and click Next.
T-0104-003-AP-001 IIS7 guide - V0.1.docx Page 6 of 17
© Trustis Limited 2010
4. Click Next to Confirm the location of the Certificate
5. When the wizard is completed, click Finish. Click OK to close the small ‘Import successful’ message.
T-0104-003-AP-001 IIS7 guide - V0.1.docx Page 7 of 17
© Trustis Limited 2010
2.2 Installing the Issuing CA Certificate
1. Right click the Intermediate Certification Authorities. Select All Tasks, select Import.
2. Complete the import wizard again, but this time locating the Issuing CA Certificate when prompted for the Certificate file.
When both certificates have been installed:
• Ensure that the Root CA certificate appears under Trusted Root Certification Authorities
• Ensure that the Issuing CA certificate appears under Intermediate Certification Authorities
Close the MMC
T-0104-003-AP-001 IIS7 guide - V0.1.docx Page 8 of 17
© Trustis Limited 2010
3 Certificate Signing Request (CSR) Generation
A CSR is a file containing your IIS SSL certificate application information, including your Public Key. Generate your CSR and then copy and paste the CSR file into the webform in the enrolment process:
1. Select Administrative Tools 2. Start Internet Information Services (IIS) Manager 3. Click on the Server in the left hand pane. On the right, you should see an icon
called Server Certificates. Double click on this.
4. On the far right of the window, there will appear a set of Actions. Click on Create Certificate Request...
T-0104-003-AP-001 IIS7 guide - V0.1.docx Page 9 of 17
© Trustis Limited 2010
5. A Request Certificate windows will appear. Complete the fields. The Common Name field should be the Fully Qualified Domain Name (FQDN) or the web address for which you plan to use your IIS SSL Certificate, e.g. the area of your site you wish customers to connect to using SSL. For example, an Instant SSL Certificate issued for trustis.com will not be valid for www.trustis.com. If the web address to be used for SSL is www.trustis.com, ensure that the common name submitted in the CSR is www.trustis.com. Click Next.
T-0104-003-AP-001 IIS7 guide - V0.1.docx Page 10 of 17
© Trustis Limited 2010
6. For Cryptographic service provider, choose Microsoft RSA SChannel Cryptographic Provider. For Bit length, choose 2048. Click Next.
T-0104-003-AP-001 IIS7 guide - V0.1.docx Page 11 of 17
© Trustis Limited 2010
7. Enter a filename and location to save your CSR. You will need this CSR to enrol for your IIS SSL Certificate. Click Finish.
T-0104-003-AP-001 IIS7 guide - V0.1.docx Page 12 of 17
© Trustis Limited 2010
8. When you make your application, make sure you include the CSR in its entirety into the appropriate section of the enrolment form - including -----BEGIN CERTIFICATE REQUEST-----to-----END CERTIFICATE REQUEST-----
For example:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIEgzCCA2sCAQAwezELMAkGA1UEBhMCR0IxETAPBgNVBAgMCE15IFN0YXRlMRAw
DgYDVQQHDAdNeSBDaXR5MRowGAYDVQQKDBFZb3VyIENvbXBhbnkgTmFtZTEMMAoG
A1UECwwDV2ViMR0wGwYDVQQDDBR3d3cubXlkb21haW5uYW1lLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOmU8zddVcPQVbgTn1nxZB5y0V+wcbVG
5rZEtw3PubreLkziFH/6MnNThsMST5P0PeUvTz4n0Yn+p0+DuU7qOHPofLjVzGnw
cWFEcNnwnsFjdenf9caFOuotTxYfCYCCghLF2lGpQGBTeBMDK4FKtCrkl+crtBIY
RixV88Fh4EXV27+zU+pLrps4dSb0POy+kN0xMQxIIbX592dB3xGu/52wXUibGDOS
SMGW0wX+9n1PfjdC7oSgr331dMSlE29d7Q1eLGPlPu2tZk6bJ1XWkhkTj4lKhTSM
gVPvsFwcKE3rJ8UQcW19LLlGGK42TYrLP9SXIG2R4SC7Xo0BNsUesV0CAwEAAaCC
AcEwGgYKKwYBBAGCNw0CAzEMFgo2LjEuNzYwMC4yMF0GCSsGAQQBgjcVFDFQME4C
AQUMHVdJTi1DQzJEM1NMN1ExNS50cnVzdGlzLmxvY2FsDB1XSU4tQ0MyRDNTTDdR
MTVcQWRtaW5pc3RyYXRvcgwLSW5ldE1nci5leGUwcgYKKwYBBAGCNw0CAjFkMGIC
AQEeWgBNAGkAYwByAG8AcwBvAGYAdAAgAFIAUwBBACAAUwBDAGgAYQBuAG4AZQBs
ACAAQwByAHkAcAB0AG8AZwByAGEAcABoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgMB
ADCBzwYJKoZIhvcNAQkOMYHBMIG+MA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAK
BggrBgEFBQcDATB4BgkqhkiG9w0BCQ8EazBpMA4GCCqGSIb3DQMCAgIAgDAOBggq
hkiG9w0DBAICAIAwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQME
AQIwCwYJYIZIAWUDBAEFMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBQG
gaFdCuG/t4BwFSG7w+F17xCYXjANBgkqhkiG9w0BAQUFAAOCAQEAz3o65PuPULJh
616mMxFRnlDJSgRiZ28s9Xo9CJSlSiZkvYGGJoHdMvAtn9rzBIZN1PpG+wUaPjpw
o8K89CflbGyFsIswB0yDzfypBwl07HETyZhwLoFQYTa0EFAnNkgAacSTBUeMowb4
T-0104-003-AP-001 IIS7 guide - V0.1.docx Page 13 of 17
© Trustis Limited 2010
GcxdcpV2h7WVHUwOpX49A0SZOD8FIb0Ob5pmuNervoxyU+4UtVMYVnF50sjfzPYY
/i/D2MUKvpPbNO1Rg2Eu+9fqatdt+uoI3H6l8Y+Zj6hi5WfWZB8wak3fgSM41+LZ
T0q/N2WQqZyLp+zSnqeJerNLa4+LmyhpnDOvHtX0xhCdt96lYW4tMlg4ZZtwO8Kd
AEEy8DqPeQ==
-----END NEW CERTIFICATE REQUEST-----
9. Click Next 10. Confirm your details in the enrolment form 11. Finish
T-0104-003-AP-001 IIS7 guide - V0.1.docx Page 14 of 17
© Trustis Limited 2010
4 Installing your SSL Server Certificate
You will receive an email from the Registration Authority when your certificate request has been approved, that contains a link to a location where your certificate may be obtained. Clicking on this link will bring up a browser window that contains the details of your issued certificate and includes a section that looks something like the following:
-----BEGIN CERTIFICATE----- MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAmowggHXAhAF UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNVBAYTAlVTMSAw (.......) E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6 K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA -----END CERTIFICATE-----
Copy everything you see between and including the lines that look like -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Paste the CSR into an appropriately named text file e.g. myserver.crt
1. Select Administrative Tools 2. Start Internet Information Services (IIS) Manager 3. Click on the Server in the left hand pane. On the right, double click on Server
Certificates.
T-0104-003-AP-001 IIS7 guide - V0.1.docx Page 15 of 17
© Trustis Limited 2010
4. On the far right of the window, there will appear a set of Actions. Click on Complete Certificate Request...
T-0104-003-AP-001 IIS7 guide - V0.1.docx Page 16 of 17
© Trustis Limited 2010
5. Enter the location details and a Friendly Name for the file you just created. Click OK.