Microsoft IIS 4 Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate Copyright. All rights reserved. Trustis Limited Building 273 New Greenham Park Greenham Common Thatcham RG19 6HN E: info@trustis.com W: www.trustis.com Registered in England No: 03613613
Table of Contents 1 Introduction... 3 2 Install Root and Intermediate Certificates... 3 2.1 ServicePack 3:... 3 2.2 ServicePack 4:... 3 2.3 ServicePack 5: Same as SP4.... 3 2.4 ServicePack 6: Same as SP5.... 4 3 Certificate Signing Request (CSR) Generation... 5 4 Installing your SSL Server Certificate... 6 4.1 Install the Server file certificate using Key Manager... 6 T-0104-003-AP-003 IIS4 guide - V0.1.docx Page 2 of 6
1 Introduction This document specifies instructions for Installing the Root and Intermediate certificates, generating your Certificate Signing Request (CSR), and Installing your SSL certificate. The document is split into the appropriate sections for performing each operation. 2 Install Root and Intermediate Certificates Firstly, you need to download the CA certificates (both Root CA certificate and Issuing CA certificate) as individual files DER format Root CA certificate found at http://www.trustis.com/pki/healthcare/ops/fpsroot-der.crt DER format Healthcare TT Issuing Authority certificate found at http://www.trustis.com/pki/healthcare/ops/healthcarett-der.crt 2.1 ServicePack 3: 1. Install the above certificates in your Internet Explorer by opening each certificate and clicking "Install Certificate". 2. Run %SystemRoot%\system32\inetsrv\iisca.exe to transfer all root certificates from your Internet Explorer to the IIS (see Microsoft KnowledgeBase Q216339) 3. restart the machine. 2.2 ServicePack 4: Install the above certificates manually in a specific root store (you may also want to read (see Microsoft KnowledgeBase Q194788): 1. Install the Root CA certificate by double clicking on the corresponding file this will start an installation wizard 2. select Place all certificates in the following store and click browse 3. select Show physical stores 4. select Trusted Root Certification Authorities 5. select Local Computer, click OK 6. back in the wizard, click Next, click Finish Repeat the same for the Issuing CA certificate. This time however, choose Intermediate Certification Authorities instead of Trusted Root Certification Authorities. 2.3 ServicePack 5: Same as SP4. T-0104-003-AP-003 IIS4 guide - V0.1.docx Page 3 of 6
2.4 ServicePack 6: Same as SP5. Reboot the web server to complete the installation. T-0104-003-AP-003 IIS4 guide - V0.1.docx Page 4 of 6
3 Certificate Signing Request (CSR) Generation A CSR is a file containing your IIS SSL certificate application information, including your Public Key. Generate your CSR and then copy and paste the CSR file into the webform in the enrolment process: Generate keys and IIS SSL certificate: 1. Open the Microsoft Management Console (MMC) for IIS (available in the Windows NT 4.0 Option Pack > Microsoft Internet Information Server > Internet Service Manager. 2. In the MMC, Expand the Internet Information Server folder and expand the computer name 3. Open the properties window for the website the CSR is for. You can do this by right clicking on the website 4. Open Directory Security Folder 5. In the Secure Communications area of this Property Sheet, select the Key Manager button and select "Create New Key..." 6. Choose "Put the request in a file that you will send to an authority." Select an appropriate filename (or accept the default). 7. Fill in the appropriate details: 8. Fill in all the fields, do not use the following characters:! @ # $ % ^ * ( ) ~? > < & / \ note: If your server is only 40 bit enabled, you will only generate a 512 bit key and should upgrade with a high encryption pack from Microsoft before continuing Ensure your server is 128 bit enabled and generate 2048 bit keys 9. Click Next until you finish 10. Click Finish 11. Key Manager will display a key icon under the WWW icon. The key will have an orange slash through it indicating it is not complete. Choose the "Computers" menu and select Exit. Select YES when asked to commit changes 12. When you make your application, make sure you include this file (this is your CSR) in its entirety into the appropriate section of the enrolment form - including -----BEGIN CERTIFICATE REQUEST-----to-----END CERTIFICATE REQUEST-- --- 13. Click Next 14. Confirm your details in the enrolment form 15. Finish T-0104-003-AP-003 IIS4 guide - V0.1.docx Page 5 of 6
4 Installing your SSL Server Certificate You will receive an email from the Registration Authority when your certificate request has been approved that contains a link to a location where your certificate may be obtained. Clicking on this link will bring up a browser window that contains the details of your issued certificate and includes a section that looks something like the following: -----BEGIN CERTIFICATE----- MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAmowggHXA haf UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNVBAYTAlVTMS Aw (...) E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6 K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA -----END CERTIFICATE----- Copy everything you see between and including the lines that look like -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- Paste it into an appropriately named text file e.g. myserver.crt 4.1 Install the Server file certificate using Key Manager 1. Go to Key Manager. 2. Install the new IIS SSL Server certificate (e.g. myserver.crt) by clicking on the key in the www directory (usually a broken key icon with a line through it), and select "Install Key Certificate". 3. Enter the Password. 4. When you are prompted for bindings, add the IP and Port Number. "Any assigned" is acceptable if you do not have any other IIS SSL certificates installed on the web server. Note: Multiple certificates installed on the same web server will require a separate IP Address for each because SSL does not support host headers. 5. Go to the Computers menu and select the option "Commit Changes", or close Key Manager and select "Yes" when prompted to commit changes. 6. The new IIS SSL Server certificate is now successfully installed. 7. Back up the Key in Key Manager by clicking on Key menu> Export -> Backup File. Store the backup file on the hard drive AND off the server. T-0104-003-AP-003 IIS4 guide - V0.1.docx Page 6 of 6