Generate Private Key Ssl Certificate Iis

Posted on  by

In the left Connections menu, select the Server name (host) where you want SSL Create Certificate Request for Microsoft IIS. Click Server Name and from the centre menu, double-click the “Server Certificates” button in the “Security” section. Jul 09, 2019  The private key gets generated along with your Certificate Signing Request (CSR). The CSR is submitted to the certificate authority right after you activate your certificate, while the private key must be kept safe and secret on your server or device. Later on, this key is used for installation of your certificate.

  1. Add Ssl Certificate To Iis
  2. Ssl Certificates Explained
  • Once you have the new CSR, submit it to your CA in order to have them issue a new cert that will match the proper private key in IIS. Once you receive the new cert file, use the 'Import' function on the utility to load the cert file on your local MMC. Final step is binding the SSL cert to the site's port 443 connection in the IIS console.
  • Purpose: Recovering a missing private key in IIS environment. For Microsoft II8 (Jump to the solution) Cause: Entrust SSL certificates do not include a private key. The private key resides on the server that generated the Certificate Signing Request (CSR).
  • 10 3 Windows servers use.pfx/.p12 files to contain the public key file (SSL Certificate) and its unique private key file. The Certificate Authority (CA) provides you with your SSL Certificate (public key file). You use your server to generate the associated private key file where the CSR was created. You need both the public.
  • On modern versions of IIS, start the IIS Manager console, click your server in the left pane, then double click 'Server Certificates' in the right pane. Now you'll notice in the far right pane, you have an option to 'Create Certificate Request' and 'Complete Certificate Request'.

Purpose: Recovering a missing private key in IIS environment.
For Microsoft II8
(Jump to the solution)
Cause:
Entrust SSL certificates do not include a private key. The private key resides on the server that generated the Certificate Signing Request (CSR). When installed correctly, the Server Certificate will match up with the private key as displayed below:
If the private key is missing, the circled message indicating a good correspondence with private key will be missing as shown here:

A missing private key could mean:

  • The certificate is not being installed on the same server that generated the CSR.
  • The pending request was deleted from IIS.
  • The certificate was installed through the Certificate Import Wizard rather than through IIS.

In this technote we do not discuss how to determine the reason the private key is missing. Select the link corresponding to each reason listed above for more information.
There's a video for this guide. Watch the video here.

There are three parts to this solution:
1) Snap-In Configuration
2) Import the Server Certificate
3) Recover the private key

Use the following steps to add the Certificates snap-in:

1. Click Start, and then search for Run.
2. Type in mmc and click OK.
3. From the File menu, choose Add/Remove Snap-in.
4. Select Certificates and then Add.
5. Choose the Computer account option and click Next.
6. Select Local Computer and then click Finish.
7. Click Close, and then click OK. The snap-in for Certificates (Local Computer) appears in the console.
Use the following steps to import your Server Certificate into the Personal certificate store. If the Server Certificate has already been imported into the Personal store, you may skip this step.
From the MMC console opened in the above steps:
1. Expand the Certificates (Local Computer) tree in the left preview panel.
2. Right-click Personal and select All Tasks > Import.
3. The Certificate Import Wizard appears. Click Next.
4. Browse to the location of your Server Certificate file and click Next.
5. Select Place all certificates in the following store and click Next.
6. Click Finish to complete the Certificate Import Wizard.
7. A dialog box appears indicating the import was successful. Click OK.

Add Ssl Certificate To Iis

Use the following steps to recover your private key using the certutil command.
1. Locate your Server Certificate file by opening Microsoft Internet Information Services Manager, then on the right side select Tools > Internet Information Services (IIS) Manager.

2. Once in IIS Manager, select your server, then on the right side, Server Certificates. You will see all certificates currently on that server. Scroll over the certificate you are trying to install, right click, then select View.

3. There, you can view the certificate information. As you can see, there is no indication of a good correspondence with the private key.
4. Click the Details tab. Write down the serial number of the certificate.
5. We will need to recover the private key using a command prompt. In order to recover the key, we must do so using command prompt as an administrator. To do so, slick Start, then on then open all App. Under Windows System, find Command Prompt. Right click Command prompt and then Run as administrator. Confirm the action and continue.
6. Make sure you are on the right directory in command prompt.
e.g., if your server directory is “c:/users/srv2012_r2_std_x64”, on the command line type “cd c:/users/srv2012_r2_std_x64”. Note that “cd” is the command used to change directories in command prompt.
7. Now that we are in the right place, enter the following command at the prompt: certutil –repairstore my <serial number> where <serial number> is the serial number obtained in Step 2 with spaces removed.

8. If Windows is able to recover the private key, you see the message:
CertUtil: -repairstore command completed successfully.

If your private key was recovered successfully, your Server Certificate installation is complete.
If the private key was not recovered successfully, you will need to generate a new Certificate Signing Request and submit it to Entrust Datacard to have your certificate re-issued, or re-issue the certificate using your ECS Enterprise account.
Check that your Certificate has been successfully installed by testing it on the Entrust SSL Install Checker.
If you have any questions or concerns please contact the Entrust Certificate Services Supportdepartment for further assistance:

Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)

NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra '1' before the '800' or your call will not be accepted as an UITF toll free call.

Country

Number

Australia

0011 - 800-3687-7863

1-800-767-513

Austria

00 - 800-3687-7863

Belgium

00 - 800-3687-7863 Create jwt online.

Denmark

00 - 800-3687-7863

Finland

990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet)

France

00 - 800-3687-7863

Germany

00 - 800-3687-7863

Hong Kong

001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax)

Ireland

00 - 800-3687-7863

Israel

014 - 800-3687-7863

Italy

00 - 800-3687-7863

Japan

001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)

Korea

001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom)

Malaysia

00 - 800-3687-7863

Netherlands

00 - 800-3687-7863

Bitdefender total security 2015 activation key generator

New Zealand

00 - 800-3687-7863

0800-4413101

Norway

00 - 800-3687-7863

Singapore

001 - 800-3687-7863

Spain

00 - 800-3687-7863

Sweden

00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2)

Switzerland

00 - 800-3687-7863

Taiwan

00 - 800-3687-7863

United Kingdom

00 - 800-3687-7863
0800 121 6078
+44 (0) 118 953 3088

SSL is an essential part of securing your IIS 7.0 site and creating a self-signed certificate in IIS 7 is much easier to do than in previous versions of IIS. SSL certificates enable the encryption of all traffic sent to and from your IIS web site, preventing others from viewing sensitive information. It uses public key cryptography to establish a secure connection. This means that anything encrypted with a public key (the SSL certificate) can only be decrypted with the private key and vice versa.

When to Use an IIS Self Signed Certificate

Never use a self signed certificate on an e-commerce site or any site that transfers valuable personal information like credit cards, social security numbers, etc.

An SSL certificate has multiple purposes: distributing the public key and, when signed by a trusted third-party, verifying the identity of the server so clients know they aren’t sending their information (encrypted or not) to the wrong person. A self signed certificate is a certificate that is signed by itself rather than a trusted third party. This means you can't verify that you are connecting to the right server because any attacker can create a self signed certificate and launch a man-in-the-middle attack. Because of this, you should almost never use a self signed certificate on a public IIS server that requires anonymous visitors to connect to your site. However, self signed certificates can be appropriate in certain situations:

  • Self signed certificates can be used on an intranet. When clients only have to go through a local intranet to get to the server, there is virtually no chance of a man-in-the-middle attack.
  • Self signed certificates can be used on an IIS development server. There is no need to spend extra cash buying a trusted certificate when you are just developing or testing an application.
  • Self signed certificates can be used on personal sites with few visitors. If you have a small personal site that transfers non-critical information, there is very little incentive for someone to attack the connection.

Just keep in mind that visitors will see a warning in their browsers (like the one below) when connecting to an IIS site that uses a self signed certificate until it is permanently stored in their certificate store. Never use a self signed certificate on an e-commerce site or any site that transfers valuable personal information like credit cards, social security numbers, etc.

Generate Your IIS Self Signed Certificate

Now you know when to use an IIS self signed certificate and when not to. Now let’s create one: (Click here to hide or show the images)

  1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.
  2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.
  3. In the Actions column on the right, click on Create Self-Signed Certificate..
  4. Enter any friendly name and then click OK.
  5. You will now have an IIS Self Signed Certificate valid for 1 year listed under Server Certificates. The certificate common name (Issued To) is the server name. Now we just need to bind the Self signed certificate to the IIS site.

Ssl Certificates Explained

Bind the Self Signed Certificate

  1. In the Connections column on the left, expand the sites folder and click on the website that you want to bind the certificate to. Click on Bindings..in the right column.
  2. Click on the Add..button.
  3. Change the Type to https and then select the SSL certificate that you just installed. Click OK.
  4. You will now see the binding for port 443 listed. Click Close.
  5. Now let's test the IIS self signed certificate by going to the site with https in our browser (e.g. https://site1.mydomain.com). When you do, you should see the following warning stating that 'The security certificate presented by this website was issued for a different website's address' (a name mismatch error).

    This is displayed because IIS always uses the server's name (in this case WIN-PABODPHV6W3) as the common name when it creates a self signed certificate. This typically doesn't match the hostname that you use to access the site in your browser (site1.mydomain.com). For many situations where IIS self signed certificates are used, this isn't a problem. Just click 'Continue to this web site' each time. However, if you want to completely get rid of the error messages, you'll need to follow the next two steps below.

Generate a Self Signed Certificate with the Correct Common Name

This step is only required if you want to get rid of the warning message displayed because the common name on the self signed certificate doesn't match the website's hostname. In order to resolve this problem, we'll need to create the self signed certificate using the same method that is used to create a self signed certificate in IIS 6.0 (with SelfSSL instead of through IIS).

  1. Download the Internet Information Services (IIS) 6.0 Resource Kit Tools and install SelfSSL 1.0 (if you do a Custom install you can uncheck everything except for SelfSSL). Once it is installed, click on the Start menu, go to IIS Resources, then SelfSSL, and run SelfSSL.
  2. Paste in the following command and replace site1.mydomain.com with the hostname of your IIS site. If you receive the erorr 'Error opening metabase: 0x80040154', just ignore it. We will be manually binding the certificate to the website.
    SelfSSL /N:CN=site1.mydomain.com /V:1000
  3. After the command is finished, you will have an IIS self signed certificate with the correct common name listed in the Server Certificates section of IIS. Now follow the instructions above to bind the certificate to your IIS website.
  4. After you have bound the new certificate to your IIS site, visit it with https in your web browser and you will encounter another error: 'The security certificate presented by this website was not issued by a trusted certificate authority.' (the SSL Certificate Not Trusted error) Don't worry; this is the last error we will need to fix. This is a normal error for self signed certificates because the certificate is signed by itself instead of a trusted SSL provider. All visitors to the site will see that error unless they import the self-signed certificate into their Trusted Root Certification Authorities store (or the appropriate SSL certificate store for the browser they are using). You can easily add the IIS self signed certificate to the store on the server by following the the instructions below. If you need to import the certificate on another Windows machine, just follow the instructions on how to Move or copy an SSL certificate from a Windows server.

Add the Self Signed Certificate to Trusted Root Certificate Authorities

  1. Click on the Start menu and click Run.
  2. Type in mmc and click OK.
  3. Click on the File menu and click Add/Remove Snap-in..
  4. Double-click on Certificates.
  5. Click on Computer Account and click Next.
  6. Leave Local Computer selected and click Finish.
  7. Expand the Certificates item on the left and expand the Personal folder. Click on the Certificates folder and right-click on the self signed certificate that you just created and select Copy.
  8. Expand the Trusted Root Certification Authorities folder and click the Certificates folder underneath it. Right-click in the white area below the certificates and click Paste.
  9. Now you can visit your site with https in your web browser and you shouldn't receive any errors because Windows will now automatically trust your IIS self signed certificate.

For more information on generating an IIS self signed certificate, see the following links:

Originally posted on Sat Oct 23, 2010