Certificate Management Service:Install SSL certificates on IIS servers

Step 1: Download the certificate to the IIS server

1. Connect to the server that runs Windows Server 2012 R2.
   If you use an ECS instance, you can use multiple methods to connect to the ECS instance. For more information about the methods, see Connection methods.
2. Download the certificate to the server.
   Note You can download the certificate to a computer and upload the downloaded certificate to the server.
   1. Log on to the Certificate Management Service console.
   2. In the left-side navigation pane, click SSL Certificates.
   3. Find the certificate that you want to download and click Download in the Actions column.
   4. In the Download Certificate panel, find IIS and click Download in the Actions column.
      A certificate package for IIS is automatically downloaded to the default download directory of the current browser.
   5. Decompress the certificate package that you download.
      The following table describes the files that you can extract from the package. The files vary based on the value of the CSR Generation parameter that you specify when you apply for a certificate.

      Value of the CSR Generation parameter	File extracted from the certificate package
      Automatic or Select Existing CSR	The following files can be extracted: Certificate file in the PFX format: The certificate file is named in the format of Certificate ID_Domain name bound to the certificate. Password file in the TXT format: The password file is named pfx-password and contains the password of the certificate. Important A new password file is generated each time you download a certificate. The password is valid only for the downloaded certificate.
      Manual	Only a certificate file in the PEM format can be extracted. The certificate file is named in the format of Certificate ID_Domain name bound to the certificate.pem.

3. If the certificate file that you extract is in the PEM format, convert the certificate file and your private key file that is generated when you manually create the CSR file to generate a PFX certificate. For more information about how to convert certificate formats, see Convert the format of a certificate.

Step 2: Import the certificate

1. Connect to the server and press Win+R to open the Run dialog box.
2. Enter mmc and click OK. The Microsoft Management Console (MMC) appears.
3. Add a certificate snap-in to your computer.
   1. In the top menu bar of the MMC, choose File > Add/Remove Snap In.
   2. In the Add or Remove Snap-ins dialog box, select Certificates from the Available snap-ins section and click Add.
   3. In the Certificates snap-in dialog box, select Computer account and click Next.
   4. In the Select Computer dialog box, select Local computer: (the computer this console is running on) and click Finish.
   5. In the Add or Remove Snap-ins dialog box, click OK.
4. In the left-side navigation pane of the MMC, choose Console Root > Certificates (Local Computer). Then, right-click Personal and choose All Tasks > Import.
5. Complete the certificate import wizard by following the on-screen instructions.
   1. Welcome to the Certificate Import Wizard: Click Next.
   2. Files to Import: Click Browse, select the PFX certificate file, and then click Next.
      Warning Before you can select the certificate file, you must set the file type to All Files (*.*).

      
   3. Private key protection: Open the password file in the TXT format, copy the file content, paste the content in the Password field, and then click Next.
   4. Certificate Store: Select Automatically select the certificate store based on the type of certificate and click Next.
   5. Completing the Certificate Import Wizard: Click Finish.
   6. After the The import was successful message appears, click OK.

Step 3: Bind the certificate to a website

1. Open IIS Manager.
2. In the Connections navigation pane, expand the server, click Sites, and then click the domain name that you want to use.
3. In the Actions pane, click Bindings.
4. In the Site Bindings dialog box, click Add.
5. In the Add Site Binding dialog box, configure the parameters for the website and click OK.
   Configure the following parameters:

   • Type: Select https.
   • IP address: Select the IP address of the server.
     Important If the certificate fails to be installed on the server because of the selected IP address, clear the IP address and try again.
   • Port: Retain the default value 443.
     Note If you specify another port, such as 8443, the users who want to access the website must enter the port number and the domain name in the https://Domain name:Port number format in the address bar of a browser. For example, if you specify port 8443, the users must enter https://domain_name:8443 in the address bar to access the website. If you use the default port 443, the users need to only enter https://domain_name in the address bar of a browser to access the website.
   • Host name: Enter the domain name of the website.
   • SSL certificate: Select the name of the certificate that you import.

     If multiple certificates are imported, click Select. In the Select Certificate dialog box, search for the certificate that you want to bind by domain name.

   After you configure the parameters, you can view the added binding of the https type in the Site Bindings dialog box.
6. In the Site Bindings dialog box, click Close.

Step 4: Verify that the certificate is installed on the IIS server

Open a browser on your computer. In the address bar, enter a domain name that is bound to the certificate to check whether the certificate is installed on the IIS server.

If you receive a response and the icon appears at the start position of the address bar, an HTTPS connection is established, and the certificate is installed.