You can install a Secure Sockets Layer (SSL) certificate on an Internet Information Services (IIS) server. This way, web services can be accessed over HTTPS. This topic describes how to install an SSL certificate on an IIS server. In this example, an SSL certificate is installed on a server that runs Windows Server 2012 R2 and is installed with IIS 8.

Prerequisites

  • The type of your web server is IIS.

    If you use other types of web servers, install certificates in the required format based on the type of your web server. For more information, see Install the certificate on your web server.

  • A certificate application is submitted, and an SSL certificate is issued by a certificate authority.

    For more information about how to submit a certificate application, see Apply for a certificate.

Procedure

  1. Connect to the server.
    For more information about how to connect to a server, such as an Elastic Compute Service (ECS) instance, see Connection methodsGuidelines on instance connection.
  2. Download the issued SSL certificate for IIS to the server.
    Note You can also download the SSL certificate for IIS to a computer and upload the downloaded certificate to the server.
    1. Log on to the SSL Certificates Service console.
    2. In the left-side navigation pane, click SSL Certificates Service.
    3. Find the issued SSL certificate and click Download in the Actions column.
    4. In the Download Certificate panel, find IIS and click Download in the Actions column. Download Certificate
      A certificate package for IIS is automatically downloaded to the default download directory of the current browser.
    5. Decompress the downloaded certificate package for IIS.
      The following table describes the files that are extracted from the package based on the CSR Generation parameter that you set when you apply for a certificate. For more information about certificate signing requests (CSRs), see Required information for certificate application. CSR Generation
      Value of the CSR Generation parameter File extracted from the certificate package
      Automatic The following two files are extracted from the package:
      • Certificate file in the PFX format: The certificate file is named in the format of Certificate ID_Domain name bound to the certificate.
      • Private key file in the TXT format: The file name is pfx-password, and the content is the private key of the certificate.
        Notice A new private key file is generated each time you download the certificate. The private key is valid only for the downloaded certificate.
      Manual Only a certificate file in the PEM format is extracted, as shown in the following figure. The certificate is named in the format of Certificate ID_Domain name bound to the certificate.pem.
  3. If the certificate file that you obtain in the previous step is in the PEM format, you must convert the certificate file to the PFX format. If you choose to manually generate a CSR, you also need to convert the private key file to the PFX format. If you obtain a certificate file in the PFX format, skip this step.
    You can use the OpenSSL tool to convert the certificate format. For more information, see Certificate format conversion.
  4. Import the certificate file to the server.
    1. Double-click the certificate file in the PFX format to open the Certificate Import Wizard.
    2. Set the Storage Location parameter to Local Machine and click Next. Certificate Import Wizard-Storage Location
    3. Confirm the name of the imported certificate file and click Next. The file name is automatically entered and you do not need to modify the File name parameter. Certificate Import Wizard-File Name
    4. Set the Password parameter and click Next.
      You can open the pfx-password file and obtain the private key. Certificate Import Wizard-Password
    5. Retain the default value Automatically select the certificate store based on the type of certificate for the Certificate Store parameter. Then, click Next. Certificate Import Wizard-Certificate Store
    6. Click Finish to import the certificate. Certificate Import Wizard-Finish
    7. If the The import was successful message appears, click OK. Certificate Import Wizard-Import Successful
  5. Bind a certificate to a website by using IIS Manager.
    1. Open IIS Manager and go to the homepage of the website.
    2. In the right-side Actions pane, click Bindings. Bind
    3. In the Site Bindings dialog box, click Add. Site Bindings-Add
    4. In the Add Site Binding dialog box, set the parameters related to the website and click OK.
      Add Site BindingSet the following parameters:
      • Type: Select https.
      • IP Address: Select the IP address of the server.
      • Port: Retain the default value 443.
        Note If you specify another port, such as 8443, the users that want to access the website must enter a port number after the domain name in the address bar of a browser. For example, if you specify port 8443, the users must enter an address in the format of https://doman_name:8443 in the address bar to access the website. If you use the default port 443, the website users can enter an address in the format of https://doman_name in the address bar of a browser to access the website.
      • Host name: Enter the domain name of the website.
      • SSL certificate: Select the imported certificate. In this example, select alias.
        alias is a user-friendly name for SSL Certificates Service. If you have imported multiple SSL certificates, click Select. In the Select Certificate dialog box, search for the certificate by domain name. Select a certificate
      After you set the parameters, you can view the added website binding of the https type in the Site Bindings dialog box. Site Bindings-https
    5. In the Site Bindings dialog box, click Close.
  6. Open a browser on your computer and enter an address in the format of https://doman_name in the address bar to check whether the certificate is installed on the IIS server.
    If you receive a response and the Lock icon icon appears in the front of the address bar, as shown in the following figure, a connection over HTTPS is established and the certificate is installed. Lock icon