Install a Microsoft IIS7 certificate
ATTENTION : the procedure below is only valid if you have generated the CSR via the IIS interface or via the Windows MMC. If you have used our KeyBot to generate the CSR, please go to this page: Install a PFX file on your IIS7 or IIS8
You received your certificate by email. Keep it within reach.
1- Retrieve your certificate on your server
Download the overall file (.p7b) indicated in the delivery mail and save it on your desktop.
Warning: If you are using a X509 certificate (.cer) you will have to install manually intermediate certificates and root certificate. It is way faster to follow this new installation procedure.
2- Import the certificate
- Open the Internet Information Services Manager. Select the concerned web server in the left panel. Double-click on the server Certificates icon on the left.
- In the Action panel, click on Complete Certificate Request...
- In the dialog box, click on Browser, apply the filter to *.* and select the file in which you have downloaded your certificate. Click on "Open".
- Give your certificate a unique name (do not use accents nor characters: ! @ # $ % ^ * ( ) ~ ? > < & / \:), then OK.
IMPORTANT: IIS7 often retur an error saying "Cannot find the certificate request associated with this certificate file.' Despite of this bug, the certificate is usually well installed only without the single name. Then you need to check that it has actualy been added to the list. If so keep going with the procedure here under without taking notice of the alert.
3- Configure an HTTPS binding
- Still in the Internet Information Services Manager, select the concerned website in the left panel.
- In the Action panel, click on "Bindings"
- Click on "New"
- Select "HTTPS" protocol
- Choose the certificate you imported previously
Microsoft error messages
Sometimes, error messages of this type may appear when importing the certificate (.p7b or .cer)
(Errors listed by Microsoft here: http://support.microsoft.com/kb/959216/fr).
- "Can't find the certificate request associated with this certificate file. A certificate request must be made on the computer where it was created. "
- "An error occurred during this operation Details: CertEnroll::CX509Enrollment::p_InstallResponse : Incorrect ASN1 tag value filled. 0X8009310B (ASN:276)"
Cause
Ce problème se produit car le Gestionnaire IIS effectue une opération de recherche pour rechercher un nom convivial du certificat pendant l'installation. Toutefois, il se peut que IIS n'arrive pas à récupérer le nom convivial d'un certificat dans un fichier PKCS#7. Par conséquent, l'opération de recherche échoue et vous recevez le message d'erreur.
THE CERTIFICATE IS INSTALLED CORRECTLY DESPITE THE ERROR MESSAGE.
Troubleshooting
To resolve this problem, add a friendly name to the certificate. To do this, follow these steps:
- Click Start, click Run, type certmgr.mmc, and then click OK.
- Locate the certificate (in "personal" / "certificates").
- Right-click the certificate, and then click Properties.
- Edit the Friendly name field.
Other possible error message
- A certificate chain could not be built to a trusted root authority
Cause
This error message appears when the root certificate of the certification chain is not from the Windows certificate store.
Resolution
Il faut importer manuellement le certificat racine et la chaine de certification. Ces éléments sont disponibles sur la page statut du certificat, bouton "Voir le certificat". Une fois que tout est importé, vous pouvez retenter l'opération avec votre certificat .p7b
To know how to import an intermediate or root certificate manually, here is a link from our FAQ: Install intermediate or root certificates manually
4- Run a test
Test your secure site access with IE and Firefox now. With IE 7 and Firefox 3, expect an error message regarding site name mismatch, since you are testing locally.
On your certificate status page, in your customer area at TBS CERTIFICATES, you will find a "Test the installation" button to test the correct installation of your of your certificate.
ADVICE AND RECOMMENDATIONS FROM TBS INTERNET
For security matters, it is advised to:
- Activate TLS1.2
- désactiver SSLv2 et SSLv3. More info:Microsoft documentation
- get protected from BEAST: consult the documentation. Here is our documentation on how to activate TLSv1.1 and TLSv1.2.
- We also advise you to disabling RC4 and 3DES based ciphers.
- We also advise you to activate HSTS (IIS configuration).
- To mitigate the security risks associated with the Diffie-Helman configuration and the Logjam security hole, we recommend that you configure the IIS Cipher Suites. For more information, see the this documentation and this Microsoft documentation ainsi que les mozilla recommendations related to compatibility. (à utiliser à titre indicatif, ces dernières n'étant pas compatibles avec IIS, contrairement aux deux liens précédents).
And discover IIS Crypto by Nartac, un outil qui vous permettra de facilement faire vos modifications dans IIS (aussi compatible IIS6)
There is also a powershell script to apply all these security recommendations: external link.
Possible scenario
"SSL Handcheck error" or SSL does not start
Make sure our certificate and its private key have been correctly installed. To do so, launch the MMC of your Windows server. Your certificate may have been placed in "container user" instead of " local computer" (due to a window bug).You can troubleshoot with a local exportation and then a re-importation in the local computer.
Useful links
- Install intermediate certificates or root certificates manually
- Export your IIS5, IIS6 or IIS7 certificate and its private key
- Import a PFX file (PKCS#12) in IIS7 or IIS8
- Enforce 128-bit under IIS
- IIS mixes up websites and does not launch SSL after reboot
- Install a certificate after having delated the current certificate request
- Disable an Intermediate or Root Certificate on Windows Server
- Disable Thawte PCA root (2036)
- Disable COMODO RSA Certification Authority (2038) root
- Disable VeriSign Class 3 Public Primary Certification Authority root - G5 (2036)
- Configure a same certificate (wildcard, multiple-site) and a same port (443) on several sites with IIS7
- Creating a directory starting with a dot on windows