CSR Creation & SSL Certificate Installation on IIS 10
An SSL certificate enables encryption of communication between a web server and web browsers. Installing an SSL certificate on your IIS 10 web server allows users to establish secure HTTPS connections to your website. This protects sensitive information like login credentials, payment details etc. from interception by hackers.
In this comprehensive guide, we will walk you through the entire process of installing an SSL certificate on IIS 10 on Windows Server 2016 or Windows Server 2019.
Prerequisites before Installing SSL Certificate on IIS 10
Before you begin with the SSL certificate installation, make sure you have the following prerequisites in place:
- A server running Windows Server 2016 or Windows Server 2019 with IIS 10 installed.
- Administrative access to the server.
- A valid SSL certificate issued by a Certificate Authority (CA). You can purchase an SSL certificate from CAs like DigiCert, GoDaddy, GlobalSign etc. Make sure the certificate is intended for the IIS web server.
- The SSL certificate file should be in .pfx or .p12 format which contains the SSL certificate, intermediate certificates, and private key in a single encrypted file.
- You will need the password for decrypting the .pfx file if the private key is encrypted. The CA will generally provide this when you purchase the certificate.
- The server should have a public DNS name configured and you should be able to access the default IIS welcome page using this DNS name over HTTP.
- The common name (domain name) on the SSL certificate should match the public DNS name of your server.
Once you have met these requirements, you are ready to install the SSL certificate.
A Step-by-Step Guide to Install SSL Certificate on IIS 10
Step 1 – Export Certificate from Certificate Store
The first step is to export your SSL certificate to a .pfx file if it is not already in that format.
If you have the certificate file in .cer or .crt format, follow these steps:
- Open Server Manager and click on Tools > Certificates.
- Go to the Personal > Certificates folder.
- Right click on the certificate issued by the CA and select All Tasks > Export.
- In the Certificate Export Wizard, click Next.
- Select Yes, export the private key and click Next.
- Select Personal Information Exchange – PKCS #12 (.PFX) as the export format and check Include all certificates in the certification path if possible.
- Specify a password to protect the private key. Remember this password as you’ll need it later.
- Provide a name for the export certificate file and save it to a suitable location.
- Complete the export by clicking Next followed by Finish.
You now have the SSL certificate exported in .pfx format.
Step 2 – Open IIS Manager
The next step is to open IIS Manager to install the export certificate.
- Go to Start Menu > Administrative Tools > Internet Information Services (IIS) Manager.
- In the Connections pane on the left, expand the Sites node to see the websites configured on your server.
- Select the site where you wish to install the SSL certificate. In most cases, this will be the ‘Default Web Site’.
- Double click on SSL Settings in the middle Actions pane.
Step 3 – Import SSL Certificate
We will now import the .pfx certificate file into IIS using the following steps:
- In SSL Settings, click on Import Certificate under Server Certificates.
- In the Import Certificate dialog, browse to the location of the .pfx file exported earlier.
- Specify the password you created when exporting the certificate.
- Select Allow this certificate to be exported and click OK.
The SSL certificate will now be listed under Server Certificates.
Step 4 – Complete Certificate Request
To complete the installation, we need to select the imported certificate and complete the certificate request in IIS:
- Select the imported certificate under Server Certificates.
- In the Actions pane on the right, click on Complete Certificate Request.
- Set the friendly name for the certificate and click OK.
The SSL certificate is now successfully installed on your IIS 10 server.
Step 5 – Bind SSL Certificate to Website
The final step is to bind the installed SSL certificate to the website in IIS:
- Select the website again in the Connections pane.
- Double click on the Bindings option in the Actions pane.
- Click on Add under Site Bindings.
- In the Add Site Binding dialog, set:
- Type: HTTPS
- IP address: The public IP address of your website
- Port: 443
- SSL certificate: Select the imported certificate
- Click OK to add the HTTPS binding.
Step 6 – Test HTTPS Access
Confirm that the SSL certificate is installed correctly, and HTTPS is working fine:
- Open a web browser and access your website using the HTTPS protocol i.e. https://yourdomain.com
- Check for any certificate warnings or errors. Since you are using a valid certificate signed by a trusted CA, you should not see any trust issues.
- Click on the lock icon in the browser address bar to inspect the certificate details. Verify your domain name shows up correctly.
- Try accessing some inner pages over HTTPS to confirm the site is loading fine without any issues.
- You can also use the SSL Server Test from Qualys to analyze your server configuration and grade the implementation.
If you are able to access the website securely without any certificate errors, the SSL certificate installation is completed successfully.
Troubleshooting Common Problems
Some common problems faced during SSL setup on IIS and ways to troubleshoot them:
Website not accessible over HTTPS
- Ensure the SSL certificate is bound to the correct IP address and port using the site bindings in IIS.
- Check if there are any other bindings like HTTP on port 443 that may block HTTPS access.
- Confirm there are no firewall or network restrictions blocking TCP port 443.
Certificate name mismatch
- The common name or subject alternate names on the certificate must match the DNS name used to access the site.
- If they don’t match, change the DNS name, or get a new certificate with the correct name.
Invalid certificate trust
- If the certificate is signed by an untrusted CA, install the intermediate and root certificates of the CA chain on the server.
- For self-signed certificates, import the certificate directly as a Trusted Root CA in Windows certificate store.
Accessing HTTPS site shows lock icon crossed out
- This means the certificate has expired. Renew the SSL certificate with your CA provider.
- You may also need to re-import the new certificate and bind it to the site.
HTTPS causes slow performance
- This could be due to SSL/TLS protocol overhead. Enable HTTP/2 on the IIS and server to improve HTTPS speed.
- Consider scaling up server resources like CPU, RAM based on site traffic load.
HTTPS redirection not working properly
- Set up URL Redirect or URL Rewrite rules correctly in IIS to redirect HTTP to HTTPS.
- Don’t have conflicting redirection rules that loop redirect requests.
Best Practices for SSL Certificate Installation
Follow these best practices when installing SSL certificates on your IIS 10 web server:
- Always generate a Certificate Signing Request (CSR) on the web server itself when purchasing a certificate. This allows proper embedding of server information in the cert.
- Use 2048-bit or higher encryption strength for the private key when generating the CSR.
- Pick a reputable CA like Symantec, DigiCert, Comodo for the SSL certificate. Self-signed certificates should be avoided.
- Manage your certificate renewal well in advance of the expiry date to avoid any downtime.
- Install the intermediate and root certificates of the CA on your server for proper certificate chain validation.
- Protect your private key appropriately by controlling access to the .pfx file. Set up adequate permissions to allow IIS to read the certificate.
- Validate certificate installation using Qualys SSL test to identify any weaknesses in your implementation.
- Always install SSL certificates on a test staging server first before moving them to production servers.
Conclusion on Install SSL Certificate on IIS 10
Installing an SSL certificate on IIS 10 is quite straightforward provided you have the certificate file and prerequisites in place. The key steps are exporting the certificate if required, importing it into the IIS certificate store, completing the certificate request and then binding the SSL certificate to the website with the correct HTTPS binding settings.
Some care needs to be taken to match the domain name, validate the certificate chain of trust and test HTTPS access fully. Following the best practices around certificate generation, renewal, permissions, and testing will ensure your users have a seamless HTTPS experience.
FAQs about Install SSL Certificate on IIS 10
How do I force HTTPS on a website in IIS 10?
To force HTTPS on a website in IIS 10, you need to edit the site’s bindings and remove the HTTP binding, leaving only the HTTPS binding in place. This way, when users try to access the site over HTTP, they will automatically be redirected to HTTPS. You can access the site bindings by opening IIS Manager, selecting the site, and clicking on “Bindings” in the actions pane.
Can I install a wildcard SSL certificate on IIS 10?
Yes, it is possible to install a wildcard SSL certificate on IIS 10 which will secure multiple subdomains under a single domain. Wildcard certificates use an asterisk () to represent the subdomains. To install one, obtain a wildcard certificate from your SSL provider and import it into IIS Manager. Then select the site and click on “SSL Settings” to bind the certificate to the site hostname like www.example.com. This will encrypt traffic for all subdomains like mail.example.com, api.example.com, etc.
How do I check if an SSL certificate is installed correctly in IIS 10?
To check if an SSL certificate is installed correctly in IIS 10, open a web browser, and enter the HTTPS URL of the site, such as https://www.example.com. The browser may display a green lock icon and state that the connection is secure. You should not receive any certificate warnings or errors. If all looks correct, then the certificate has been set up properly in IIS. You can also use OpenSSL or PowerShell commands to validate certificate details programmatically.
How do I renew an SSL certificate in IIS 10?
To renew an SSL certificate in IIS 10, you first need to obtain a new certificate from your Certificate Authority (CA). This can usually be done online through the CA’s account portal. Once you have the new certificate file, import it into IIS Manager. Then select the SSL certificate from the dropdown and click “View” to manage bindings. Leave the existing certificate selected without removing it first. This binds the new certificate and allows renewal without service interruption.
What are the SSL settings in IIS 10?
The main SSL settings in IIS 10 can be configured by editing the site bindings and clicking the SSL Options button. Here you can select the SSL certificate to use, enable PCI compliance settings, specify the SSL/TLS protocols, choose the encryption strength like AES 256, and set options for client certification. Additional SSL options are available at the server level. Understanding these settings allows you to properly configure encryption for secure communication to the IIS website.
How do I redirect HTTP to HTTPS in IIS 10 after installing an SSL certificate?
To redirect HTTP to HTTPS in IIS 10, edit the URL rewrite module for the website. Open the URL Rewrite section and select “Add Rule(s)” to open the rule builder. Set the rule’s pattern to match incoming HTTP requests. For the action, select “Redirect” and specify the HTTPS URL. This will redirect all HTTP traffic to the secure HTTPS address. You can test the rule by requesting the site over plain HTTP, which should now automatically redirect to the encrypted HTTPS version.
What is the SSL port number in IIS 10?
By default, SSL/HTTPS traffic in IIS 10 uses TCP port 443. This is the standard port specified by the HTTPS protocol for encrypting and securing web traffic. When binding an SSL certificate to a website in IIS, port 443 should be selected as the secure port. Users will access the site securely by navigating to https://example.com rather than http://example.com, with the “s” indicating port 443 is being used. This port number can be changed but using the standard 443 helps ensure compatibility with clients.
