Generate a CSR with Microsoft IIS8.X/10.X and Windows Server 2012/2016
Import the certificate
Attention: You must not import the PFX via IIS because its import wizard cannot handle certificate chains.
- Open the Windows launch tool with Run from the Run menu or with the keyboard shortcut Win+r. Then enter mmc and click OK.
- Click on the File menu and then on Add/Remove
Snap-in.
- Click on Certificates then on Add.
- Select your kind of current account (Windows) the complete the information requested.
- Then validate by clicking OK.
- You can now open the Certificates menu to find the store that will contain your certificate. Select its sub-file Certificates. Then right click in the center part of the window and select the All tasks - Import option.
- Click on Next.
- Select your pfx file. Please note that the dialog box tries to find another kind of file by default. Then click on Next.
- Enter the password protecting the certificate. Make sure the box Mark this key as exportable is checked. If not, you won't be able to export your key.
- Select the store that will contain the certificate. It is very strongly recommended
to select the Automatically select the certificate store based on
the type of certificate option in order to distribute each element of the certification chain in the adequat stores.
- Confirm the certificate import by clicking on Finish.
Bind the certificate
- In Internet Information Services (IIS) Manager, select your site.
- Select Bindings option from the Actions menu on the right hand side of the window.
- Then select Add
- Then select the HTTPS protocol and the certificate you previously added.
Security recommendations
- We recommend you todisable SSLv2 and SSLv3 protocols.
- We recommend enabling HSTS (IIS configuration).
- To limit the security risks related to the Diffie-Helman configuration and the Logjam security hole, we recommend that you configure the Cipher Suites in IIS. For more information, see the documentation ad also this page from Microsoft documentation and the Mozilla recommendations about compatibility (only use as an information source, the format isn't compatible with IIS, contrary to the two previous links).
- We also recommend disabling the RC4 cipher. See our documentation.
And discover IIS Crypto by NARTAC, a toolthat will help you do modifications in IIS (compatible with IIS6).
The is also a powershell script aloowing to apply all those security recommandations: external link.
See also:
Last edited on 05/25/2022 14:26:17 --- [search]