All Products
Search
Document Center

Certificate Management Service:Install SSL certificates on IIS servers

Last Updated:Jun 20, 2024

This topic describes how to install an SSL certificate on an Internet Information Services (IIS) server, including downloading and uploading a PFX certificate file, configuring related parameters on the IIS server, and verifying the installation result. After the certificate is installed, you can access the IIS server over HTTPS, which ensures the security of data transmission.

Important

In this topic, an IIS 8 server that runs a Windows Server 2012 R2 operating system is used as an example to illustrate the installation. The operations to import a certificate and bind a certificate to a website vary based on the versions of servers and operating systems. If you have questions, contact your account manager.

Prerequisites

  • A certificate is issued by using the Certificate Management Service console. For more information, see Purchase SSL certificates and Apply for a certificate.

  • Domain Name System (DNS) resolution is complete on the domain name that is bound to the certificate. The domain name is resolved to an IP address. You can use the DNS verification tool to check whether the DNS record of the domain name takes effect. For more information, see Verify the DNS record of your domain name.

  • Port 443 is enabled on your web server. Port 443 is the standard port used for HTTPS communication.

    If you use an Alibaba Cloud Elastic Compute Service (ECS) instance, make sure that an inbound security group rule is configured to allow TCP access on port 443. For more information, see Add a security group rule.

Step 1: Download the certificate

  1. Log on to the Certificate Management Service console.

  2. In the left-side navigation pane, click SSL Certificates.

  3. On the SSL Certificates page, find the certificate that you want to manage and click Download in the Actions column.

  4. Find IIS in the Server Type column and click Download in the Actions column.

    image..png

  5. Decompress the downloaded certificate package.

    The following table describes the files that you can extract from the package. The files vary based on the certificate signing request (CSR) generation method that you use when you submit the certificate application.

    Value of the CSR Generation parameter

    File extracted from the certificate package

    Automatic

    • Certificate file in the PFX format: By default, the certificate file is named in the Certificate ID_Domain name bound to the certificate format.

    • Password file in the TXT format: By default, the password file is named in the Certificate format-password format.

      Important

      A new password file is generated each time you download a certificate. The password is valid only for the downloaded certificate.

    Manual

    • If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set CSR Generation to Automatic.

    • If the specified CSR is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.

Step 2: Import the certificate

  1. Connect to the IIS server that runs Windows Server 2012 R2.

    If you use an Elastic Compute Service (ECS) instance, you can use multiple methods to connect to the ECS instance. For more information about the methods, see Connection methods.

  2. Upload the extracted files to the IIS server.

    Note

    You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service instance, see Upload files to or download files from a Windows instance or Upload a file to a Linux instance.

  3. Press Win+R to open the Run dialog box. Then, enter mmc and click OK.

  4. In the Microsoft Management Console (MMC), add the Certificates snap-in.

    1. In the top menu bar of the MMC, choose File > Add/Remove Snap-in.添加/删除管理单元

    2. In the Add or Remove Snap-ins dialog box, select Certificates from the Available snap-ins section and click Add.添加或删除管理单元界面

    3. In the Certificates snap-in dialog box, select Computer account and click Next.

    4. In the Select Computer dialog box, select Local computer: (the computer this console is running on) and click Finish.

    5. In the Add or Remove Snap-ins dialog box, click OK.

  5. In the left-side navigation pane of the MMC, choose Console Root > Certificates (Local Computer). Then, right-click Personal and choose All Tasks > Import.打开证书导入向导

  6. Follow the on-screen instructions to complete the certificate import wizard.

    1. Welcome to the Certificate Import Wizard: Click Next.

    2. File to Import: Click Browse, select the PFX certificate file, and then click Next.

      Before you can select the certificate file, you must set the file type to All Files (*.*).

      导入证书

      要导入的文件

    3. Private key protection: Open the TXT password file, copy and paste the content in the Password field, and then click Next.输入证书秘钥

    4. Certificate Store: Select Automatically select the certificate store based on the type of certificate and click Next.选择证书存储

    5. Completing the Certificate Import Wizard: Click Finish.

    6. After the The import was successful message appears, click OK.

Step 3: Bind the certificate to a website

  1. Click the image..png icon and click Server Manager.

  2. In the top menu bar, choose Tools > Internet Information Services (IIS) Manager.

  3. In the Connections navigation pane on the left side, click the server, click Sites, and then click your website. In the Actions section on the right side, click Bindings.

    绑定

  4. In the Site Bindings dialog box, click Add.网站绑定-添加

  5. In the Add Website Binding dialog box, configure the parameters for your website and click OK.

    添加网站绑定You can configure the parameters based on the following instructions:

    • Type: Select https.

    • IP address: Select the IP address of the server.

      Important

      If the certificate fails to be installed on the server because of the selected IP address, clear the IP address and try again.

    • Port: Retain the default value 443.

      Note

      If you specify a different port, users who want to access your website by using a browser must append the port number to the domain name of the website in the address bar. For example, if the domain name of your website is domain.com and you specify port 443, users can enter https://domain.com or https://domain.com:443 in the address bar to access the website. If you change the port to 8443, users must enter https://domain.com:8443 in the address bar to access the website.

    • Host name: Enter the domain name of your website.

    • SSL certificate: Select the certificate that you import.

    After you configure the parameters, you can view the added binding of the https type in the Site Bindings dialog box.

  6. In the Site Bindings dialog box, click Close.

Step 4: Check whether the certificate is installed

After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.

https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate.

If a lock icon appears in the address bar, the certificate is installed.

锁状标识