Digital Certificates and Microsoft Internet Information Services


Dec 4, 2013 (4 years and 5 months ago)


Digital Certificates
and Microsoft Internet
Information Services
Digital Certificates and Microsoft
Internet Information Services
his guide will help you test, purchase, install, and use a
Thawte digital certificate on Microsoft Internet Information
Services (IIS), the web server software included with Windows
Server. It also includes best practices for securing IIS and

for ongoing management of digital certificates, and their
encryption keys.
IIS 5, 6, 7, and Beyond
This guide covers IIS 5 (included with Windows 2000 Server), IIS
6 (included with Windows Server 2003), and IIS 7, (included with
Windows Server 2008). While IIS 5 and 6 are substantially similar
in the way they are configured and managed, IIS 7 is significantly
different, so this guide will cover the variations between versions.
This guide assumes you are running the latest patches and
service packs for the Windows operating system (OS).
Generating Your Private Key and Certificate
Signing Request
To obtain a certificate from Thawte, you first need to have IIS
generate a new private encryption key and a Certificate Signing
Request (CSR). The CSR contains information needed to
properly issue a certificate that can be used by the server. It is
important that the associated private key remain on the web
Thawte does not require, and should never have, access
to your private key. The integrity of your digital certificate depends
heavily on you keeping your private key
When generating a CSR, you will be asked for several pieces of

Organization name – This is your organization’s full

legal name.

Organizational unit – This is often the division of your
company that is responsible for the web server.

Country code – You will usually select this from a list.

State or Province – This should be spelled out, not

Locality – This is usually your city; again, it should be
spelled out and not abbreviated.

Common name – This is the exact host and domain name
that you want to secure, such as “
While this does not need to match the actual computer
name of the web server, it does need to be the exact host
and domain name that users will enter to get to your web
site. Domains are not interchangeable; a certificate for
“” will not work for “
It is common practice to redirect users to a single host and
domain name for secure connections, thus requiring only
one certificate.
Thawte also offers “wildcard” certificates, which can be used
to secure multiple subdomains on a single server. There are
potential risks associated with “wildcard” certificates, so be sure
you understand how they are best used before selecting this kind
of certificate.
IIS generates the private key file and the CSR at the same time,
and saves both to disk at a location you select. The CSR is a text
file that contains text similar to what Figure 1 shows.
Figure 1: A sample CSR text file.
To begin in IIS 7, select the server in the IIS management
console, then select Server Certificates. Click Open Feature in
the sidebar, then click Create Certificate Request (see Figure 2).
A wizard will open and prompt you for the necessary information.
Backing Up Your Private Key File
Although the IIS UI may not make this clear, completing the CSR
does produce a private key in a file on disk. Back up this file to
a secure, safe location immediately. The file is usually protected
with a password; be sure you do not forget this password
because you will need it to install your digital certificate. Thawte
recommends backing up the private key file to a removable
storage device, such as a USB flash drive, and storing that
device in a secure location. The private key file’s password
should be written down and stored separately, typically in a
locked safe or other secure storage location.
Figure 2: Steps necessary to open the wizard.
In IIS 5 or 6, right-click a web site and select Properties. On the
Directory Security tab, click Server Certificate to open the wizard
and complete your CSR (see Figure 3).
Figure 3: Setting up the properties of your CSR.
Figure 4: A sample text file certificate.
Using a Test Certificate
Thawte offers free test certificates, valid for 21 days, that you
can use to test your web server setup . and ensure a successful
digital certificate installation. To obtain a test certificate, visit:
. You will be asked to copy and paste the text of your
CSR into the Test Certificate System web page.
When copying and pasting your CSR, be sure to include
in the CSR text file including the “BEGIN” and “END”
lines and all the dashes.
Your certificate is delivered to you in the form of a text file, which
looks similar to the CSR (see Figure 4).
Copy and paste this entire block of text, including the dashes
and “BEGIN” and “END” lines, into a text editor. Save the text file
to disk using a .CRT filename extension, such as the filename
Once you have your test certificate, you are ready to install it
into IIS. In IIS 5 and 6, return to the web site properties Directory
Security tab, and click Server Certificate. In IIS 7, return to the
Server Certificates item, and select Complete Certificate Request
in the sidebar. IIS will guide you through the certificate installation
process, including prompting you for the location of your private
key file and your certificate file. In IIS 7, you will also need to
associate the certificate with a specific web site on the server.
Once configured, IIS will automatically utilize the certificate when
responding to https:// requests..
There are several key pieces of information provided:

For IIS 5 visit:
© 2012 Thawte, Inc. All rights reserved. Thawte, the thawte logo, and other trademarks, service marks, and designs are registered or unregistered trademarks

of Thawte, Inc. and its subsidiaries and affi liates in the United States and in foreign countries. All other trademarks are property of their respective owners.

For IIS 6 visit:

For IIS 7 visit:
Note that the test certificate is fully functional; however, it is issued
by a non-trusted root CA. Visitors to your web site will see a
warning message and be asked if they want to trust the certificate.
You can visit:.
download the proper Test CA Root Certificate so that your browser
will trust the test certificate.
Special Configuration Note
SSL can only work when your secured web site uses a unique
IP address. SSL will not work properly if IIS is distinguishing
between web sites based solely on host headers, because the
request header itself will be encrypted. The SSL certificate is not
tied to the IP address, so the address itself may be changed at
any time.
Requesting a Trusted Certificate
The process of obtaining a fully functional, production-quality
Thawte digital certificate is similar to that to obtain the test
You will need to generate a new CSR and private
key –
do not use the same key and CSR that you used to request
the test certificate.
Part of obtaining a production-quality, trusted certificate is proving
the identity of your organization to Thawte. Thawte initiates
the identity verification process automatically and will contact
you if additional information is required. You can expedite your
certificate’s issuance by responding to Thawte’s requests . as
quickly and completely as possible. Log into your account to track
the status of your certificate:
. Once you obtain your trusted certificate, install it using the
same procedures you used for your test certificate.
Exporting Your Trusted Certificate and
Private Key
You should back up your installed certificate and your private key
file – ideally to a removable storage device such as a USB flash
drive. Note the password used to secure the private key file, and
ideally store that password separately in a secure location. If your
server software crashes or must be reinstalled, you will need all
these items to reinstall your certificate.
Detailed instructions for back up procedures can be found
Useful Links
You may find the following URLs to be useful:

More details about Thawte’s SSL Web Server Certificates
can be found at:

Common problem experiences with SSL certificates and
the solutions to those problems are detailed in the Thawte
Knowledge Base at:

Thawte’s Frequently Asked Questions also provide quick
answers to common questions and can be read at:

You can purchase SSL Web Server Certificates at:

Via phone

US toll-free: +1 888 484 2983

UK: +44 203 450 5486

South Africa: +27 21 819 2800

Germany: +49 69 3807 89081

France: +33 1 57 32 42 68


Visit our website at
To learn more, contact our sales advisors:
Protect your business and translate
trust to your customers with high-
assurance digital certificates from
Thawte, the world’s first international
specialist in online security. Backed by
a 17-year track record of stability and
reliability, a proven infrastructure, and
world-class customer support, Thawte
is the international partner of choice
for businesses worldwide.