SSL related


New update:

You can use startssl: to get cheap/free certs. Need an actual passport to sign up.


Requesting and installing a certificate from a provider

Step 1:

How do I generate a CSR on Microsoft IIS 7.0? 

On the root note in IIS 7, click Server Certificates icon. Right click the blank space, click Create Certificate Request.


Tab 1

Common Name - The name through which the certificate will be accessed (usually the fully-qualified domain name, e.g., or For a wildcard certificate this should start be *

Organization - The legally registered name of your organization/company.

Organizational unit - The name of your department within the organization (frequently this entry will be listed as "IT," "Web Security," or is simply left blank).

City/locality - The city in which your organization is located.

State/province - The state in which your organization is located.

Country/region - If needed


Tab 2

Crypto - Microsoft RSA is fine for crypto provider

Bit Length - I think generally 2048 is fine (Note For EV SSL it must be minimum of 2048 as the bit length). You may be able to go with a higher bit length but I don't know - could research this.


Step 2:

Buying the certificate - which certicate to buy?

Generally just get the cheapest you can. Generally best to go with standard rather than any enhanced bollocks. Always advise clients to get the longest term available (eg 5 years) as otherwise there is the risk of certificates expiring and leaving the site insecure (which is a very bad look), and every renewal involves generating new CSRs and mucking around.


"EV" - costs a lot extra but it provides the green bar on the browser, which may be worthwhile if you want to spend money to get the best available. However, I think it involves some mucking round on server installation as well as checking of organisation. Not generally worth paying extra for in my opinion.


Extended Validation (EV) Certificates provide the best Internet Data Encryption and Identity Assurance available. Before any EV SSL Certificate can be issued, Comodo (the certification authority) must independently obtain and validate information about the organization that requires the certificate, including verification of the physical address and registered business identity


Comodo Positive SSL

Comodo are currently selling a basic certificate for US$49 per year, which seems to be the cheapest currently and just as good as any other secure certificate. This is what we recommend.


Currently there is a free upgrade to EV, which sounds really good, and if you really want a green bar you can get it. However it does take extra paperwork, time and installation cost. 


If telling client to purchase:

- Paste in the CSR

- Select IIS7 as the server

- Select 5 years or maximum validity period

- Any free offers might be good, but they will mean dozens of extra emails which will be confusing and will involve extra time to apply and install (eg putting extra logos or script on website). Best not to tick anything...!


Step 3:

How to install an SSL certificate for Microsoft IIS 7?

In summary:

1) On the root note in IIS 7, click Server Certificates icon. Right click the blank space, click Complete Certificate Request. Locate the file containing the certificate - note that although this defaults to .cer it can be any type of file (comodo supplies .crt files and rapidSSL supplies raw text).

2) Set up SSL in host headers. Go to the site, click Bindings, and add a host header for HTTPS. This is where you select the certificate. When renewing a certificate you still have to go into this and select the new certificate.

3) It should now be all set up! Test the site by changing the http to https.


Step 4:


You should do an export of a certificate once it's installed, then back up the resulting file. If something catastrophic happens to the server it can be restored. 




Installing a wildcard certificate on a server and using it on multiple sites

Install the certificate as a "Personal" certificate in MMC (see this article for a similar method: - just put it in Personal rather than Trusted Root)

Go into IIS, properties, Directory Security and Server Certificate. Choose "Available Certificates" and choose the wildcard certificate that you installed above through MMC (it should be in the list of available certs)

After installing the "available" certificate for two or more sites you will see that sites after the first one will not start and you will be shown an error saying that port 443 is already in use.

To fix this, do the following:

Open a command prompt and type the following


cd "C:\Inetpub\AdminScripts"

cscript.exe adsutil.vbs set /w3svc//SecureBindings "


Note: for the second command you need to find the site identifier (is a number in a column in IIS) and also change "" to whatever your domain name is.




Installing a certificate from a backup (pfx) file


follow this guide:


How do I move a certificate from Microsoft IIS 7.0 to Microsoft IIS 7.0


Here are the steps to export a copy of your certificate and private key from IIS7:

   1. Start > Run
   2. Type in MMC and click OK
   3. Go into the File Tab > select Add/Remove Snap-in
   4. Click on Certificates and click on Add.
   5. Select Computer Account > Click Next
   6. Select Local Computer > Click Finish
   7. Click OK to close the Add/Remove Snap-in window.
   8. Double click on Certificates (Local Computer) in the center window.
   9. Double click on the Personal folder, and then on Certificates.
  10. Right Click on the Certificate you would like to backup and choose > ALL TASKS > Export
  11. Follow the Certificate Export Wizard to backup your certificate to a .pfx file.
  12. Choose to 'Yes, export the private key'
  13. Choose to "Include all certificates in certificate path if possible." (do NOT select the delete Private Key option)
  14. Enter a password you will remember
  15. Choose to save file on a set location
  16. Finish
  17. You will receive a message > "The export was successful." > Click OK
  18. The .pfx file backup is now saved in the location you selected.

Here are the steps to import the PFX file on the second IIS7 server:

   1. Start > Run
   2. Type in MMC and click OK
   3. Go into the File Tab > select Add/Remove Snap-in
   4. Click on Certificates and click on Add.
   5. Select Computer Account > Click Next
   6. Select Local Computer > Click Finish
   7. Click OK to close the Add/Remove Snap-in window.
   8. Double click on Certificates (Local Computer) in the center window.
   9. Right click on the Personal Certificates Store (folder)
  10. Choose > ALL TASKS > Import
  11. Follow the Certificate Import Wizard to import your Primary Certificate from the .pfx file. You will need to browse for .pfx files.
  12. Enter the password that was used when exporting the certificate to a .pfx file.
  13. If desired, check the box to "Mark this key as exportable."
  14. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.
  15. Click Finish to close the certificate wizard.
  16. Close the MMC console. In the case that you are prompted, it is not necessary to save the changes made to the MMC console.

Here are the steps to configure your site in IIS 7

   1. Click on Start, then Administrative Tools, then Internet Information Services (IIS) Manager.
   2. Click on the server name.
   3. Expand the Sites folder.
   4. Select the site to be secured (usually the default web site).
   5. From the "Actions" menu (on the right), click on "Bindings..." under Edit Site.
   6. In the "Site Bindings" window, click "Add..." This will open the "Add Site Binding" window.
   7. Under "Type" choose https. The IP address should be the IP address of the site or All Unassigned, and the port over which traffic will be secured by SSL is usually 443. The "SSL   Certificate" field should specify the certificate that was installed during the import process described above.
   8. Click "OK."
   9. Your SSL certificate is now installed, and the website configured to accept secure connections.

Occassionally a server or IIS restart is required before your server will recognize the new certificate




Installing a certificate from a PEM file sent from a 3rd party


You can tell you've got a PEM file if you open it up in Notepad and you can see "-----BEGIN CERTIFICATE-----", "INTERMEDIATE CA:" and "-----BEGIN RSA PRIVATE KEY-----"

For more information on certificate file formats and for an UNSAFE online conversion tool see here:


So firstly, Windows doesn't deal well with PEM files, you can import them, but they don't work properly, so we have to convert it to a PFX.


EDNA has the conversion tool OpenSSL installed on it, so use EDNA.


If you've only been sent a PEM file this is what you need to do, if you have other files (key, authority's cert etc) then you will need extra params (see the sslshopper link above)


copy pem file (filenameOfPEMFileToConvert.pem) to c:\openssl\bin

open cmd, type cd \openssl\bin

openssl pkcs12 -export -out filenameOfPFXToMake.pfx -in filenameOfPEMFileToConvert.pem

generate a password in the password safe for the export

IMPORTANT: **TYPE** the password in when it prompts you - paste will not work and the cursor doesn't move. It asks to verify so you shouldn't get it wrong.





Renewing or replacing a PositiveSSL certificate


PositiveSSL has a control panel at:


There you can renew or replace a certificate. For example if you move it to another server and forgot to make a certificate backup (pfx) file then you would need to replace it.


When renewing or replacing you will find it says "Awaiting Validation". I think this is automatic and just means that a validation email has been sent to your designated email address. This contains a validation URL and code to enter.


Assigning a private key to a certificate

To assign the existing private key to a new certificate, you must use the Microsoft Windows Server 2003 version of Certutil.exe. To do this, follow these steps:

  1. In the Certificates snap-in, double-click the imported certificate that is in the Personal folder.
  2. In the Certificate dialog box, click the Details tab.
  3. Click Serial Number in the Field column of the Details tab, highlight the serial number, and then write down the serial number.
  4. Click Start, click Run, type cmd, and then click OK.
  5. At the command prompt, type the following:
    certutil -repairstore my "SerialNumber"

    SerialNumber is the serial number that you wrote down in step 17.
  6. In the Certificates snap-in, right-click Certificates, and then click Refresh

    The certificate now has an associated private key.

You can now use the IIS MMC to assign the recovered keyset (certificate) to the Web site that you want.

 Import the

You may then need to import the certicate into IIS. To do this:

Export the certificate that now has a private key to a dir somewhere.

Then import into IIS.

Right click on the root node in IIS. Click server certificates. Click import. Choose the certificate you exported. When prompted for a password use the serial number you used in the command line.

And bingo was his name.


How to get into Certificate Manager to make a backup or install certificates


Go to Start > Run > certmgr.msc




Leave a Comment