Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Install a Microsoft IIS7 certificate

ATTENTION : the procedure below is only valid if you have generated the CSR via the IIS interface or via the Windows MMC. If you have used our KeyBot to generate the CSR, please go to this page: Install a PFX file on your IIS7 or IIS8

You received your certificate by email. Keep it within reach.

1- Retrieve your certificate on your server

Download the overall file (.p7b) indicated in the delivery mail and save it on your desktop.

Warning: If you are using a X509 certificate (.cer) you will have to install manually intermediate certificates and root certificate. It is way faster to follow this new installation procedure.

2- Import the certificate

  • Open the Internet Information Services Manager. Select the concerned web server in the left panel. Double-click on the server Certificates icon on the left.
  • In the Action panel, click on Complete Certificate Request... 




  • In the dialog box, click on Browser, apply the filter to *.* and select the file in which you have downloaded your certificate. Click on "Open".
  • Give your certificate a unique name (do not use accents nor characters: ! @ # $ % ^ * ( ) ~ ? > < & / \:), then OK.


IMPORTANT: IIS7 often retur an error saying "Cannot find the certificate request associated with this certificate file.' Despite of this bug, the certificate is usually well installed only without the single name. Then you need to check that it has actualy been added to the list. If so keep going with the procedure here under without taking notice of the alert.



3- Configure an HTTPS binding

  • Still in the Internet Information Services Manager, select the concerned website in the left panel.


  • In the Action panel, click on "Bindings"
  • Click on "New"
  • Select "HTTPS" protocol
  • Choose the certificate you imported previously


Microsoft error messages

Sometimes, error messages of this type may appear when importing the certificate (.p7b or .cer)
(Errors listed by Microsoft here: http://support.microsoft.com/kb/959216/fr).


  • "Can't find the certificate request associated with this certificate file. A certificate request must be made on the computer where it was created. "

  • "An error occurred during this operation Details: CertEnroll::CX509Enrollment::p_InstallResponse : Incorrect ASN1 tag value filled. 0X8009310B (ASN:276)"
Cause

Ce problème se produit car le Gestionnaire IIS effectue une opération de recherche pour rechercher un nom convivial du certificat pendant l'installation. Toutefois, il se peut que IIS n'arrive pas à récupérer le nom convivial d'un certificat dans un fichier PKCS#7. Par conséquent, l'opération de recherche échoue et vous recevez le message d'erreur.
THE CERTIFICATE IS INSTALLED CORRECTLY DESPITE THE ERROR MESSAGE.

Troubleshooting

To resolve this problem, add a friendly name to the certificate. To do this, follow these steps:


  • Click Start, click Run, type certmgr.mmc, and then click OK.
  • Locate the certificate (in "personal" / "certificates").
  • Right-click the certificate, and then click Properties.
  • Edit the Friendly name field.

Other possible error message

  • A certificate chain could not be built to a trusted root authority
Cause

This error message appears when the root certificate of the certification chain is not from the Windows certificate store.

Resolution

Il faut importer manuellement le certificat racine et la chaine de certification. Ces éléments sont disponibles sur la page statut du certificat, bouton "Voir le certificat". Une fois que tout est importé, vous pouvez retenter l'opération avec votre certificat .p7b

To know how to import an intermediate or root certificate manually, here is a link from our FAQ: Install intermediate or root certificates manually

4- Run a test

Test your secure site access with IE and Firefox now. With IE 7 and Firefox 3, expect an error message regarding site name mismatch, since you are testing locally.

On your certificate status page, in your customer area at TBS CERTIFICATES, you will find a "Test the installation" button to test the correct installation of your of your certificate.

ADVICE AND RECOMMENDATIONS FROM TBS INTERNET

For security matters, it is advised to:

And discover IIS Crypto by Nartac, un outil qui vous permettra de facilement faire vos modifications dans IIS (aussi compatible IIS6)

There is also a powershell script to apply all these security recommendations: external link.

Possible scenario

"SSL Handcheck error" or SSL does not start

Make sure our certificate and its private key have been correctly installed. To do so, launch the MMC of your Windows server. Your certificate may have been placed in "container user" instead of " local computer" (due to a window bug).
You can troubleshoot with a local exportation and then a re-importation in the local computer.

Useful links