JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Install a Microsoft IIS7 certificate

You received your certificate by email. Keep it within reach.

1- Retrieve your certificate on your server

Download the overall file (.p7b) indicated in the delivery mail and save it on your desktop.

Warning: If you are using a X509 certificate (.cer) you will have to install manually intermediate certificates and root certificate. It is way faster to follow this new installation procedure.

2- Import the certificate

  • Open the Internet Information Services Manager. Select the concerned web server in the left panel. Double-click on the server Certificates icon on the left.
  • In the Action panel, click on Complete Certificate Request... 




  • In the dialog box, click on Browser, apply the filter to *.* and select the file in which you have downloaded your certificate. Click on "Open".
  • Give your certificate a unique name (do not use accents nor characters: ! @ # $ % ^ * ( ) ~ ? > < & / \:), then OK.


IMPORTANT: IIS7 often retur an error saying "Cannot find the certificate request associated with this certificate file.' Despite of this bug, the certificate is usually well installed only without the single name. Then you need to check that it has actualy been added to the list. If so keep going with the procedure here under without taking notice of the alert.



3- Configure an HTTPS binding

  • Still in the Internet Information Services Manager, select the concerned website in the left panel.


  • In the Actions pane, click on "Bindings"
  • Click on "New"
  • Select "HTTPS" protocol
  • Choose the certificate you imported previously


Microsoft error messages

You may encounter error messages while importing a certificate (.p7b or .cer).
(Errors listed by Microsoft here:
http://support.microsoft.com/kb/959216/fr).


  • "Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created."

  • "There was an error while performing this operation Details: CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN:276)"
Cause

This issue occurs because IIS Manager performs a lookup operation to look for a friendly name of the certificate during the installation. However, the code that performs this lookup operation misses this specific case, and it does not know how to retrieve the friendly name of a certificate in a PKCS#7 file. Therefore, the lookup operation fails, and you receive the error message.
THE CERTIFICATE IS INSTALLED CORRECTLY DESPITE THE ERROR MESSAGE.

Troubleshooting

To resolve this problem, add a friendly name to the certificate. To do this, follow these steps:


  • Click Start, click Run, type certmgr.mmc, and then click OK.
  • Locate the certificate (in "personal" / "certificates").
  • Right-click the certificate, and then click Properties.
  • Edit the Friendly name field.

4- Run a test

Now test your secured website access with IE and Firefox. With IE 7 and Firefox 3 you may see an error message indicating the non-correspondence of the sites' names. It is normal, it is a local test.

On your certificate's status page, you'll see a 'Check your certificate' button. Click it to test the installation of your certificate.

ADVICES AND RECOMMENDATIONS FROM TBS INTERNET

For security matters, it is advised to:

And discover NARTAC, a toolthat will help you do modifications in IIS (compatible with IIS6).

There us also a powershell script to apply all those security recommandations: external link.



Possible scenario

"SSL Handcheck error" or SSL does not start

Make sure our certificate and its private key have been correctly installed. To do so, launch the MMC of your Windows server. Your certificate may have been placed in "container user" instead of " local computer" (due to a window bug).
You can troubleshoot with a local exportation and then a re-importation in the local computer.
http://support.microsoft.com/kb/939616/fr

Consult MICROSOFT here: http://support.microsoft.com/kb/959216/fr

External links