IIS 7 or 8 Windows Server: CSR Creation & Wildcard SSL Installation
A wildcard SSL certificate allows you to secure unlimited subdomains under a base domain with a single SSL certificate. For example, a wildcard certificate for *.example.com will work for www.example.com, mail.example.com, login.example.com, etc.
Wildcard certificates provide flexibility and can help reduce SSL certificate management costs for websites that have multiple subdomains. They are ideal for businesses that host multiple services on subdomains of their main domain.
In this comprehensive guide, we will walk through the complete process of installing a wildcard SSL certificate on IIS (Internet Information Services) 7 or 8 on a Windows Server.
Also Read: How to Install an SSL Certificate on IIS 7?
Prerequisites before Installing Wildcard SSL on IIS 7 or 8
Before you can install and configure a wildcard SSL certificate, make sure you have the following:
- A Windows Server (2008 R2 or later) with IIS 7 or IIS 8 installed. IIS is built-in and enabled by default on Windows Server.
- Administrator access to the Windows Server.
- A valid wildcard SSL certificate issued by a trusted certificate authority. You can purchase one from vendors like DigiCert, Thawte, etc.
- The SSL certificate file you receive from the CA will contain the certificate, private key, and may include intermediate certificates. The certificate file is typically in PFX or PKCS #12 format.
- The private key password for the certificate if one was created.
A Step-by-Step Guide to Install Wildcard SSL Certificate on on IIS 7 or 8
Step 1 – Import the Wildcard SSL Certificate
The first step is to import the wildcard SSL certificate file into the server’s certificate store. Here are the detailed steps:
- Open the IIS Manager on your Windows Server.
- In the left pane, double-click on your server name to expand the menu.
- Click on ‘Server Certificates’. This opens the certificate store.
- In the ‘Actions’ panel on the right, click ‘Import’.
- In the import dialog, browse and select the PFX or PKCS #12 certificate file you received from the CA.
- If a private key password was set by the CA, enter it in the password field.
- Check the box to allow the certificate to be exported. This enables you to backup or transfer it in the future if required.
- Click Ok to import the certificate into the store.
The wildcard SSL certificate will now appear in the ‘Server Certificates’ list. Make a note of the certificate thumbprint which we will need later.
Step 2 – Bind the SSL Certificate to the Website
Now that the wildcard SSL certificate is imported, we need to bind it to the website in IIS. Here are the steps:
- Expand ‘Sites’ in the IIS Manager and select the website you want to add the SSL binding to.
- In the Actions panel, click ‘Bindings’.
- Click ‘Add’ to open the ‘Add Site Binding’ dialog.
- Set the binding Type as ‘https’.
- In the ‘SSL certificate’ field, use the dropdown to select the wildcard certificate we imported.
- Specify port 443 which is the default port for HTTPS.
- Leave SSL flagged as ‘Required’.
- Click OK to add the HTTPS binding.
The wildcard certificate is now bound to the website. Repeat steps 2-7 to bind it to additional websites if needed.
Step 3 – Install URL Rewrite Module
The URL Rewrite module for IIS allows you to redirect HTTP requests to HTTPS to ensure traffic is secured. Installing it is easy:
- In the IIS Manager, click on your Windows Server name in the left pane.
- Double click on ‘Get New Web Platform Components’ under Management.
- Find the URL Rewrite component and click ‘Add’ to install it.
This will automatically download and install the latest version of the URL Rewrite module.
Step 4 – Redirect HTTP to HTTPS
With the URL Rewrite module installed, we can now set up a rule to redirect all HTTP requests to HTTPS.
- Select the website again in the IIS Manager.
- Double click on ‘URL Rewrite’ in the middle Features pane.
- In the Actions panel on the right, click ‘Add Rule(s)’.
- Enter a descriptive name for the rule, for example ‘HTTP to HTTPS Redirect’.
- Select ‘Blank Rule’ as the rule template.
- Under pattern, enter:
^http://(.*)$
- For Action Type, select ‘Redirect’.
- For protocol, select ‘https’.
- Check ‘Redirect to same host name…’
- Leave everything else as default and click Ok to save the rule.
This will redirect all HTTP requests for the website to use HTTPS instead. The wildcard SSL certificate will encrypt and secure the traffic.
Step 5 – Enable HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that forces web browsers to use HTTPS for future requests after the initial request. It prevents man-in-the-middle attacks and protocol downgrading.
Enabling HSTS ensures browsers only interact with your website over HTTPS going forward. Here is how to enable it:
- Select the website again in IIS.
- Double click on the HTTP Response Headers feature.
- In the Actions panel, click Add…
- For name, enter ‘Strict-Transport-Security’.
- For value, enter ‘max-age=31536000’. This sets it for 1 year.
- Click OK to save the new response header.
This will set the HSTS header. You can adjust the max-age value as needed.
Step 6 – Test the Website
The wildcard SSL certificate is now installed and configured correctly. To test it out:
- Open a web browser and access your website through HTTP first.
- Verify you are redirected to the HTTPS URL automatically.
- Check for the lock icon and green padlock in the browser address bar.
- Click the lock and validate the certificate details match what you imported earlier.
- Try accessing other subdomains such as mail.yourdomain.com and ensure the wildcard certificate secures it.
- Use an SSL testing tool like SSL Labs to validate and get an A+ rating.
If you see any issues, go back, and review the steps to ensure nothing was missed. The certificate may need to be rebound or the website restarted.
Renewing the Wildcard Certificate
Wildcard SSL certificates are valid for 1-3 years typically. You will need to renew them periodically:
- Purchase a renewed certificate from the same CA when the current one approaches expiration.
- Follow step 1 again to import the renewed certificate into the server.
- IIS will automatically start using the new certificate for the existing HTTPS bindings.
- No need to rebind the certificate or change configurations.
Be sure to renew it several weeks or months in advance to avoid any certificate expiration errors.
Troubleshooting Issues
Here are some common issues and fixes:
Website showing certificate errors or warnings
- Ensure the correct certificate is bound to the site in IIS.
- Verify no bindings are using the old or expired certificate.
- The server may need to be restarted after a new certificate is imported.
HTTPS site connectivity problems
- Check if the HTTPS port is being blocked by a firewall.
- Confirm the binding is using port 443 and not a non-standard port.
- Try restarting the ‘World Wide Web Publishing Service’.
HTTP to HTTPS redirect not working
- Double check the URL Rewrite rule pattern and conditions.
- Verify the rule is enabled and URL Rewrite module is installed.
- Test by accessing the site through HTTP to confirm redirect occurs.
Browsers complaining about HSTS
- If HSTS was previously enabled, some browsers may complain if it’s disabled.
- They have cached the HSTS info and expect it. The warnings can be ignored until cache expires.
Certificate name mismatch warnings
- The name on the certificate must match the website’s domain name accessed.
- For wildcards, the base domain must match (not the subdomain).
- If the names don’t match, renew the cert with correct CSR information.
Conclusion on Install Wildcard SSL Certificate on IIS 7 or 8
Installing a wildcard SSL certificate on IIS provides an easy way to secure unlimited subdomains for your websites. Following the steps outlined in this guide, you can import the certificate, bind it properly in IIS, redirect HTTP traffic to HTTPS, and enable HSTS for maximum security.
Some best practices include using a high-grade 2048 or 4096-bit encryption certificate from a trusted CA, renewing several weeks before expiration, properly securing the certificate files on your server, and using AES-256 or higher encryption for the private key.
With these tips, your website will benefit from HTTPS encryption, authentication, and integrity for all its subdomains and avoid mixed content warnings in modern browsers. Happy securing!
FAQs on Install Wildcard SSL Certificate on IIS 7 or 8
What are the steps to install a wildcard SSL certificate on IIS?
The main steps are – import the certificate into the server’s store, bind it to websites in IIS, install the URL Rewrite module, create a rule to redirect HTTP to HTTPS, and enable HSTS for added security.
Where do you put the wildcard SSL certificate files?
The certificate files (PFX/PKCS12) should be imported directly into the Windows server’s certificate store using the IIS Manager console under Server Certificates.
How do I bind a wildcard SSL certificate in IIS?
In IIS Manager, go to the site > Bindings > Add and select HTTPS, choose the imported wildcard cert from the dropdown menu, and select port 443.
Does a wildcard cover the root domain?
Yes, a wildcard certificate covers both the apex/root domain (example.com) as well as all subdomains (*.example.com).
Can you use a wildcard cert with multiple IPs?
Yes, a wildcard SSL certificate works across multiple IPs. You can assign it to sites that use different IPs on the same server.
What is the limit of subdomains on a wildcard SSL cert?
There is no practical limit. A wildcard SSL certificate can be used to secure an unlimited number of subdomains for the base domain.
