Install SSL Certificates in a Windows Server

Overview

Before we learn how to install the SSL certificate, let's understand how the SSL certificate is important. SSL Certificates secures the application/website using Transport Layer Security (TLS) which is a network protocol that encrypts the data between the web server and the visitor(user). Nowadays most of the applications are using SSL, and you can confirm this every time when a website starts with “https:// “rather than “http://”. This indicates the website has securely encrypting data between you (visitor) and the server so that no cyber attackers can easily sniff the network packets and capture the confidential data.

SSL protects the web/application, it is utilized by almost every corporation and business and acts as the first step in user security. SSL is a way to protect logins and forms that users enter from being intercepted unknowingly by a 3rd party on your network.  If your application/website does not incorporate SSL, we suggest implementing it as soon as possible as it will add a security level, Here is the step by step guide from ManekTech on how to implement SSL it in your system.

Generating the Certificate Request (CSR)

Before installation you need to order the SSL, to order the SSL, you will need to create a certificate request from the certificate authority to issue an SSL.

Step 1: To begin, the first thing you need to do is login to your windows server and open IIS. If you do not have a shortcut for it, you can search it in your computer for inetmgr.exe or search IIS and open it and you will see the wizard below. From here you will click on your server name:

Step 2: Then double-click on “Server Certificates “on middle pane,

Step 3: Once you have done that, you are ready to create your certificate request.

On the right-hand side, select ‘Create Certificate Request ‘

At this point, you will be asked for information about the certificate and the company of requesting the certificate.

Once you filled the details asked, click Next. It will bring you to the following screen:

Step 4: We suggest using the settings above, to make sure the Bit Length is set to 2048 or higher. We have chosen 4096 and click Next. On the subsequent screen, you need to specify a filename where your Certificate Request or CSR can be exported. For easiness, we would like to export the CSR to C:\example.com.csr.txt

Order the SSL
At this point, you are ready to order your SSL certificate!

Step 1: Go ahead and go to your chosen SSL provider, whether it would be GeoTrust or GoDaddy, or any numerous other certificate authorities.

Step 2: When you are signing up for the SSL, it will ask you for the CSR data we saved at C:\example.com.csr.txt – Copy and paste the contents into the certificate authority’s website, and it will generate all the same fields we entered via the previous steps. (Confirm it once you reach at this step)

Step 3: Finish your order, and they will provide you with a .crt certificate file. Download this file and copy it to your web server. For coherence, copy it to C:\example.com.cer

In some cases of the SSL provider, they don’t include the private.key with the certificate so there will be two approaches as follow,
1. .Crt certificate file (private key included)
2. .Crt certificate file + private key

Congratulations! Now you have created a certificate request and successfully completed it with the certificate authority. you have your new SSL certificate ready to be installed.

As mentioned above, there are two scenarios of SSL certificate which we need to install on our server,

1. Certificate without Private Key

If the certificate does not hold the private key then we need to convert the crt to pfx file with private key. You need to install the openssl from the official website.

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt

Run above command in the root directory of the openssl as it will generate the pfx file. After generating the file, you can follow the below step to install the SSL.

2. Certificate with Private key

If the certificate holds the private key then it would be much easier to install by following below steps.

Installing the Certificate in IIS
Step 1: Open IIS/inetmgr.exe and navigate to the server as we did in the beginning.
Step 2: Navigate to Server Certificates. Now, instead of selecting ‘Create Certificate Request’ you will select ‘Complete Certificate Request ‘
Step 3: It will prompt you for the location of the new certificate, which we have saved at C:\example.com.cer and to make things easier on ourselves later, we would name the friendly name example.com-01 of the file so that we know this is the first SSL for this domain in case we want to renew it later. Once you hit OK, you should see your certificate in the list of server certificates in IIS.
Great! Now you have generated the certificate request, completed it, and installed your certificate on your web server. Now you need to bind the certificate to your website.

Binding the SSL Certificate to a Website
Step 1: In IIS, browse to Sites > example.com (where you want the SSL certificate installed).
Step 2: Right-click on your site and select ‘Edit Bindings‘ or if you click on the site, you will see Bindings on the right-hand side.
This will open a window that looks like the following:

Step 3: If you already have the https binding setup for your site, you will simply double-click on the https bindings and select the desired SSL certificate from the drop-down. If you haven’t created a https entry in your bindings yet, click “Add”. On the right-hand side and you will be able to see the following window:

Step 4: At the very First, set the Type to https so your website knows the request is for a secured URL. If you want to set the IP Address on your host. In my case, All Unassigned.
Port should be automatically set to 443, if not, do so. (This is the port defined for secured communications)

Step 5: Set the Host Name to example.com (your domain). In most cases, you will want to check Require Server Name Indication. In our case, we do not need it because this is the only certificate on this IP address. Select your SSL certificate from the drop-down!

Select OK and do it all again, this time instead of setting the hostname to example.com, you need to set it to www.example.com. As we only set it up for requests from https://example.com, but https://www.example won’t register as secured until we add the second binding entry.

If you are setting up a wildcard SSL, you will have to add a third entry for *.example.com so that it can be secure any subdomain of your website.

How to Test Your New SSL

First, you will have to access your domain at https://example.com and https://www.example.com to see if there are any errors. An easy way to check,  if the certificate is functioning properly in the input and your domain into SSL Shopper then it is successfully implemented. Try it with and without the “www” to confirm the both URLs.

If everything is working, you should see several green checks and no errors. The certificate expiration date will be at least one year from the day you ordered the SSL originally.

That’s it! You have successfully installed a brand-new SSL for your website that works both with www and without it. Congratulations! Now you can follow these steps to secure all your websites and applications and make your platform secure from various cyber-attacks like Eavesdropping, Phishing, Malware etc.

For Dedicated Servers & Cloud Servers running Windows. Learn how to install the SSL Starter Wildcard certificate provided by Manektech on a Windows server.