{"id":196103,"date":"2022-12-22T19:42:59","date_gmt":"2022-12-23T00:42:59","guid":{"rendered":"https:\/\/itblog.ldlnet.net\/?p=196103"},"modified":"2024-05-10T08:33:38","modified_gmt":"2024-05-10T13:33:38","slug":"create-convert-and-install-a-certificate-on-iis-for-a-webpage","status":"publish","type":"post","link":"https:\/\/itblog.ldlnet.net\/index.php\/2022\/12\/22\/create-convert-and-install-a-certificate-on-iis-for-a-webpage\/","title":{"rendered":"Create, Convert, and Install a Certificate on IIS for a Webpage"},"content":{"rendered":"\n<p>Hello. I have had different ways and parts to updating an SSL certificate for your website. Now most are required and commonplace these days, especially if you run a business. I had always had issues creating the CSR properly with a private key so that I could convert the certificate to a PFX extension certificate with a private key for IIS intallation.<\/p>\n\n\n\n<p>This blog article will go through the steps to properly create a multi domain CSR with a private key so that you can convert the CRT and Key back into a PFX file to use on IIS for your websites.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Things to know before you begin<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Have access to your DNS provider. \n<ul class=\"wp-block-list\">\n<li>You might need to add a record to your DNS for validation or confirm IP address for your A record.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Know your validation method and prepare to validate your domain\n<ul class=\"wp-block-list\">\n<li>Have the proper email address setup and working to have the Certificate Provider send the validation email to for EACH DOMAIN in your SAN certificate CSR.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Have OpenSSL installed or some other certificate tool.\n<ul class=\"wp-block-list\">\n<li>Windows Download Link <strong><a href=\"https:\/\/sourceforge.net\/projects\/openssl-for-windows\/files\/\" target=\"_blank\" rel=\"noreferrer noopener\">Here<\/a><\/strong><\/li>\n\n\n\n<li>OpenSSL can perform all of the tasks in this blog article accept the installation part. You do that in IIS.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>REVIEW REVIEW REVIEW\n<ul class=\"wp-block-list\">\n<li>Double check all your work to make sure there are NO TYPOS. Errors will delay the issuance of a certificate and cause many problems with validation.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Creating the CSR and Private Key Pair Files<\/h2>\n\n\n\n<p>I have never been able to successfully do this like I wanted to from IIS or Windows. <em>(Please, if you have a method in IIS or certsrv utilities to do it, share with us!) <\/em>I use OpenSSL to create the configuration file that will generate the CSR and Key file to submit to the Certificate Providers.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create an OpenSSL configuration file (e.g.&nbsp;<em>req.conf<\/em>) and fill out the details for your CSR. Fill out all the fields with the proper information. I am going to assume you have knowledge of what the fields represent. Save that file to a directory (<em>i.e. C:\\Certs\\req.conf<\/em>)<\/li>\n<\/ul>\n\n\n<pre class=\"lang:PowerShell nums:False\" title=\"req.conf file configuration\">\n[req]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\nprompt = no\n[req_distinguished_name]\nC = US\nST = YourState\nL = YourCIty\nO = YourOrganization\nOU = YourOrganizationUnit\nCN = www.domain.com\n[v3_req]\nkeyUsage = keyEncipherment, dataEncipherment\nextendedKeyUsage = serverAuth\nsubjectAltName = @alt_names\n[alt_names]\nDNS.1 = www.domain.com\nDNS.2 = domain.com\nDNS.3 = sub-domain.domain.com\nDNS.4 = sub2-domain.domain.net\nDNS.5 = www.domain.net\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Next, run the following command from OpenSSL to generate the request (.req) file and corresponding certificate key file (.key) in the C:\\certs directory<\/li>\n<\/ul>\n\n\n<pre class=\"lang:PowerShell nums:False\" title=\"Generate Certificate Request and Key file with OpenSSL command\">\nopenssl req -new -out C:\\certs\\yourrequest.csr -newkey rsa:2048 -nodes -sha256 -keyout c:\\certs\\yourprivatekey.key -config c:\\certs\\req.conf\n<\/pre>\n\n\n\n<p class=\"has-vivid-red-color has-text-color has-small-font-size\"><em><strong>Note:&nbsp;Multi-domain certificates do not support www subdomains by default. If you need to secure both&nbsp;www.example.com&nbsp;and example.com with one Multi-Domain certificate, both hostnames should be specified during the certificate activation.<\/strong><\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Validate and obtain your Certificate<\/h2>\n\n\n\n<p>Based on the Certificate Provider you go with, you will need to go through a validation process with your CSR and domains to get them approved for certificate use based on the type of certificate you purchased. If you have issues with this part, you will need to work with your Certificate Provider to resolve and remediate those issues before continuing.<\/p>\n\n\n\n<p>You will have a screen like this should you have successfully obtained a certificate: <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"653\" src=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2021\/04\/image-1024x653.png\" alt=\"\" class=\"wp-image-929\" srcset=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2021\/04\/image-1024x653.png 1024w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2021\/04\/image-300x191.png 300w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2021\/04\/image-768x490.png 768w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2021\/04\/image.png 1265w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Get Your Certificate<\/figcaption><\/figure>\n\n\n\n<p class=\"has-luminous-vivid-orange-color has-text-color\"><strong><em>NOTE: The Certificate will come in a zip file. The actual certificate will be in another format (either .csr or .crt or .p7b) Extract those files to the working directory on your server (i.e. C:\\Certs)<\/em><\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"347\" src=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2021\/04\/image-1-1024x347.png\" alt=\"\" class=\"wp-image-930\" srcset=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2021\/04\/image-1-1024x347.png 1024w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2021\/04\/image-1-300x102.png 300w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2021\/04\/image-1-768x261.png 768w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2021\/04\/image-1.png 1126w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Look for the .crt file<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Convert the Certificate to a PFX file using OpenSSL<\/h2>\n\n\n\n<p>Now that you have your certificate, IIS will not use it for your website until it knows it has a private key associated with it to bind to in IIS. We created the key in the upper section of this blog post. Now we will use that key file and the new crt file to make the required PFX file for use in IIS.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Run the following command in OpenSSL to make a new PFX certificate using your private key and the downloaded certificate.<\/li>\n<\/ul>\n\n\n<pre class=\"lang:PowerShell nums:False\" title=\"Generate Certificate Request and Key file with OpenSSL command\">\nopenssl pkcs12 -export -out c:\\Certs\\FinalPFXCert.pfx -inkey c:\\Certs\\YourPrivatekey.key -in c:\\Certs\\downloadedcert.crt\n<\/pre>\n\n\n\n<p>You will be asked to create a password for the new certificate. <strong><em>REMEMBER THE PASSWORD! <\/em><\/strong>If you lose the password, you cannot export the certificate or private key and will have to recreate the certificate from scratch.<\/p>\n\n\n\n<p>You will now have new certificate called FinalPFXSCert.pfx in your C:\\Certs directory.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Import the PFX Certificate into IIS<\/h2>\n\n\n\n<p>This is the final step to add the certificate to your website. Make sure you test the bindings when completed to make sure all the SAN names work!<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open IIS Manager &gt; <strong>Server<\/strong> &gt;<strong>Server Certificates<\/strong><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"547\" src=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm1-1024x547.png\" alt=\"\" class=\"wp-image-196107\" srcset=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm1-1024x547.png 1024w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm1-300x160.png 300w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm1-768x410.png 768w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm1.png 1330w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Select Server Certificates at Server Level in IIS<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In the Server Certificates Screen, Goto <strong>Action<\/strong>s &gt;<strong> Import<\/strong><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"276\" src=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm2-1024x276.png\" alt=\"\" class=\"wp-image-196108\" srcset=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm2-1024x276.png 1024w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm2-300x81.png 300w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm2-768x207.png 768w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm2.png 1416w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Choose Import from the Actions Menu<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Choose the path to the PFX file using the ellipses (&#8230;) or type the path to the PFX file (i.e. C:\\Certs\\newcert2023.pfx) &gt; Type in the Password for the certificate in the Password field that you chose when creating the certificate &gt; Click OK<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"450\" height=\"402\" src=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm3.png\" alt=\"\" class=\"wp-image-196109\" srcset=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm3.png 450w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm3-300x268.png 300w\" sizes=\"auto, (max-width: 450px) 100vw, 450px\" \/><figcaption class=\"wp-element-caption\">Select the new certificate<\/figcaption><\/figure>\n<\/div>\n\n\n<p><strong><em>NOTE: You will want to place the certificate in the Personal Store as that is what the computer account uses to read available certificates in IIS.<\/em><\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Assign Certificate to your Website in IIS<\/h2>\n\n\n\n<p>This is the final step to activate your certificate with your website.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In IIS Server Manager, choose your website in the Sites List &gt; Right-Click the Site &gt; Choose Edit Bindings<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"297\" src=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm4-1024x297.png\" alt=\"\" class=\"wp-image-196110\" srcset=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm4-1024x297.png 1024w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm4-300x87.png 300w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm4-768x223.png 768w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm4-1536x445.png 1536w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm4.png 1808w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">You can also choose Bindings from the Actions Menu<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Click <strong>Add<\/strong><\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"805\" height=\"279\" src=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm5.png\" alt=\"\" class=\"wp-image-196111\" srcset=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm5.png 805w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm5-300x104.png 300w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm5-768x266.png 768w\" sizes=\"auto, (max-width: 805px) 100vw, 805px\" \/><figcaption class=\"wp-element-caption\">Click Add<\/figcaption><\/figure>\n<\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Choose <strong>HTTP<\/strong>S in the<strong> dropdown<\/strong> &gt; <strong>Type in the SAN name<\/strong> you want to bind the certificate to <em>(i.e. www.domain.com or domain.com)<\/em> in the <strong>Host name<\/strong> box &gt; Choose the <strong>Certificate Name<\/strong> in the <strong>SSL Certificate<\/strong> dropdown list &gt; Click <strong>OK<\/strong><\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"658\" height=\"530\" src=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm6.png\" alt=\"\" class=\"wp-image-196112\" srcset=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm6.png 658w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm6-300x242.png 300w\" sizes=\"auto, (max-width: 658px) 100vw, 658px\" \/><\/figure>\n<\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>You will now see the https binding listed for that domain. <strong><em>REMEMBER<\/em><\/strong> to repeat this for the other SAN domain names in the certificate and apply them to all relevant websites.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"806\" height=\"482\" src=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm7.png\" alt=\"\" class=\"wp-image-196113\" srcset=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm7.png 806w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm7-300x179.png 300w, https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2022\/12\/IISAdm7-768x459.png 768w\" sizes=\"auto, (max-width: 806px) 100vw, 806px\" \/><figcaption class=\"wp-element-caption\">https binding information<\/figcaption><\/figure>\n<\/div>\n\n\n<p>I hope this helps some of you out there with the certificate stuff. Over the years, certificates have been a real pain to manage, but I think this post and my other posts in this series will help simplify the process for you all.<\/p>\n\n\n\n<h1 class=\"wp-block-heading has-text-align-center\"><strong>THANKS FOR READING AND BEING A PART OF LDLNET!<\/strong><\/h1>\n\n\n\n<h1 class=\"wp-block-heading has-text-align-center\"><strong>I WELCOME THE NEW YEAR WITH GUSTO!<\/strong><\/h1>\n\n\n\n<h1 class=\"wp-block-heading has-text-align-center\"><strong>CONTACT ME FOR ANY QUESTIONS!<\/strong><\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">About Lance Lingerfelt<\/h2>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:22% auto\"><figure class=\"wp-block-media-text__media\"><img loading=\"lazy\" decoding=\"async\" width=\"468\" height=\"412\" src=\"https:\/\/itblog.ldlnet.net\/wp-content\/uploads\/2024\/03\/ProfLDL1.jpg\" alt=\"Lance Lingerfelt Profile Photo\" class=\"wp-image-196223 size-full\"\/><\/figure><div class=\"wp-block-media-text__content\">\n<p class=\"has-small-font-size\">Lance Lingerfelt is an M365 Specialist and Evangelist with over 20 years of experience in the Information Technology field. Having worked in enterprise environments to small businesses, he is able to adapt and provide the best IT Training and Consultation possible. With a focus on AI, the M365 Stack, and Healthcare, he continues to give back to the community with training, public speaking events, and this blog.<\/p>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Hello. I have had different ways and parts to updating an SSL certificate for your website. Now most are required and commonplace<\/p>\n<p class=\"link-more\"><a class=\"myButt \" href=\"https:\/\/itblog.ldlnet.net\/index.php\/2022\/12\/22\/create-convert-and-install-a-certificate-on-iis-for-a-webpage\/\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":877,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,180,301,1,16],"tags":[28,27,170,282,29,175],"class_list":["post-196103","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","category-networking","category-training","category-uncategorized","category-windows","tag-certificate","tag-certificates","tag-iis","tag-openssl","tag-pki","tag-websites","odd"],"_links":{"self":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/196103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/comments?post=196103"}],"version-history":[{"count":12,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/196103\/revisions"}],"predecessor-version":[{"id":196298,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/196103\/revisions\/196298"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/media\/877"}],"wp:attachment":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/media?parent=196103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/categories?post=196103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/tags?post=196103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}