Certificate Management Service:Install SSL certificates on IIS servers

Step 1: Download the certificate

1. Log on to the Certificate Management Service console.

2. In the left-side navigation pane, click SSL Certificates.

3. On the Log on to the Certificate Management Service console. page, find the certificate that you want to manage and click Download in the Actions column.

4. Find IIS in the Server Type column and click Download in the Actions column.

   

5. Decompress the downloaded certificate package.

   The following table describes the files that you can extract from the package. The files vary based on the CSR generation method that you use when you submit the certificate application.

   Value of the CSR Generation parameter	File extracted from the certificate package
   Automatic	Certificate file in the PFX format: By default, the certificate file is named in the Certificate ID_Domain name bound to the certificate format. Password file in the TXT format: By default, the password file is named in the Certificate format-password format. Important A new password file is generated each time you download a certificate. The password is valid only for the downloaded certificate.
   Manual	If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set CSR Generation to Automatic. If the specified CSR is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.

Step 2: Import the certificate

1. Connect to the IIS server that runs Windows Server 2012 R2.

   If you use an Elastic Compute Service (ECS) instance, you can use multiple methods to connect to the ECS instance. For more information about the methods, see Connection methods.

2. Upload the extracted files to the IIS server.

   Note

   You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service instance, see Use mstsc.exe to upload a file to a Windows instance or Upload a file to a Linux instance.

3. Press Win+R to open the Run dialog box. Then, enter mmc and click OK.

4. In the Microsoft Management Console (MMC), add the Certificates snap-in.

   1. In the top menu bar of the MMC, choose File > Add/Remove Snap-in.

   2. In the Add or Remove Snap-ins dialog box, select Certificates from the Available snap-ins section and click Add.

   3. In the Certificates snap-in dialog box, select Computer account and click Next.

   4. In the Select Computer dialog box, select Local computer: (the computer this console is running on) and click Finish.

   5. In the Add or Remove Snap-ins dialog box, click OK.

5. In the left-side navigation pane of the MMC, choose Console Root > Certificates (Local Computer). Then, right-click Personal and choose All Tasks > Import.

6. Follow the on-screen instructions to complete the certificate import wizard.

   1. Welcome to the Certificate Import Wizard: Click Next.

   2. File to Import: Click Browse, select the PFX certificate file, and then click Next.

      Before you can select the certificate file, you must set the file type to All Files (*.*).

      

      

   3. Private key protection: Open the TXT password file, copy and paste the content in the Password field, and then click Next.

   4. Certificate Store: Select Automatically select the certificate store based on the type of certificate and click Next.

   5. Completing the Certificate Import Wizard: Click Finish.

   6. After the The import was successful message appears, click OK.

Step 3: Bind the certificate to a website

1. Click the icon and click Server Manager.

2. In the top menu bar, choose Tools > Internet Information Services (IIS) Manager.

3. In the Connections navigation pane on the left side, click the server, click Sites, and then click your website. In the Actions section on the right side, click Bindings.

   

4. In the Site Bindings dialog box, click Add.

5. In the Add Website Binding dialog box, configure the parameters for your website and click OK.

   You can configure the parameters based on the following instructions:

   • Type: Select https.

   • IP address: Select the IP address of the server.

     Important

     If the certificate fails to be installed on the server because of the selected IP address, clear the IP address and try again.

   • Port: Retain the default value 443.

     Note

     If you specify a different port, users who want to access your website by using a browser must append the port number to the domain name of the website in the address bar. For example, if the domain name of your website is domain.com and you specify port 443, users can enter https://domain.com or https://domain.com:443 in the address bar to access the website. If you change the port to 8443, users must enter https://domain.com:8443 in the address bar to access the website.

   • Host name: Enter the domain name of your website.

   • SSL certificate: Select the certificate that you import.

   After you configure the parameters, you can view the added binding of the https type in the Site Bindings dialog box.

6. In the Site Bindings dialog box, click Close.

Step 4: Check whether the certificate is installed

https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate.

If a lock icon appears in the address bar, the certificate is installed.