Office 365: Using Microsoft IIS for SSL Certificate Installation
Microsoft Office 365 doesn¡¯t include a GUI for installing a SSL Certificate. Because Office 365 is designed to run on Microsoft IIS, you can use IIS to install your certificate. If you have not yet created a Certificate Signing Request (CSR) and ordered your certificate, see Microsoft Office 365: SSL Certificate CSR Creation (IIS).
The installation process consists of two steps: installing the certificate on the server and assigning/binding the certificate the default website.
-
IIS 8/8.5 or IIS 7
If you used IIS to create your CSR, you need to use IIS to install the certificate and then, to assign/bind the certificate to the default website (HTTPS port 443)
-
For IIS 8/8.5 instructions, see Office 365: How to Install Your SSL Certificate Using IIS 8/8.5.
-
For IIS 7 instructions, see Office 365: How to Install Your SSL Certificate Using IIS 7.
-
-
¶ºÒõ¹Ý® Certificate Utility
If you used the ¶ºÒõ¹Ý® Certificate Utility for Windows to generate your CSR, you need to use the ¶ºÒõ¹Ý Certificate Utility to import/install your SSL Certificate. Then, you need to use IIS to assign/bind the certificate to the default website (HTTPS port 443).
-
Install your SSL Certificate.
See SSL Certificate Importing Instructions: ¶ºÒõ¹Ý® Certificate Utility for Windows.
-
To assign/bind the certificate to the default website (HTTPS port 443):
-
For IIS 8/8.5 instructions, see Using IIS 8/8.5 to Assign the Certificate to the Default Website.
-
For IIS 7 instructions, see Using IIS 7 to Assign the Certificate to the Default Website.
-
-
Office 365: How to Install Your SSL Certificate Using IIS 8/8.5
Using IIS 8/8.5 to Install the SSL Certificate
After ¶ºÒõ¹Ý validates and issues your SSL Certificate, you can use IIS to install your SSL Certificate to the server where you generated the CSR. Then, you can use IIS to bind the certificate to the default website (HTTPS port 443).
-
Open the ZIP file containing your SSL Certificate and save the SSL Certificate file (your_domain_name.cer) to the desktop of your AD FS server.
-
Open Internet Information Services (IIS) Manager.
From the Start screen, type and click Internet Information Services (IIS) Manager.
-
In Internet Information Services (IIS) Manager, under Connections, select your server¡¯s Hostname.
-
In the center menu, in the IIS section, double-click the Server Certificates icon.
-
In the Actions menu, click Complete Certificate Request to open the Complete Request Certificate wizard.
-
In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, under File name containing the certification authority¡¯s response, click ¡ to browse to the .cer certificate file that ¶ºÒõ¹Ý sent you, select the file, and then, click Open.
-
Next, in the Friendly name box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.
We recommend that you add ¶ºÒõ¹Ý and the expiration date to the end of your friendly name, for example: yoursite-¶ºÒõ¹Ý-expirationDate. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
-
Next, in the Select a certificate store for the new certificate drop-down list, select Personal.
-
To install the SSL Certificate to the server, click OK.
-
Once you have successfully installed the SSL Certificate to the server, you still need use IIS to assign or bind that certificate to the default website (HTTPS port 443).
Using IIS 8/8.5 to Assign the Certificate to the Default Website
-
In Internet Information Services (IIS) Manager, under Connections, expand your server¡¯s name, expand Sites, and then select the Default Web Site site.
-
In the Actions menu, under Edit Site, click Bindings.
-
In the Site Binding window, click Add.
-
In the Add Site Bindings window, enter the following information and then, click OK:
Type: In the drop-down list, select https. IP address: In the drop-down list, select All unassigned. If your server has multiple IP addresses, select the one that applies. Port: Enter 443, unless you are using a non-standard port for SSL traffic. SSL certificate: In the drop-down list, select the friendly name of the certificate that you just installed. -
Your SSL certificate is now installed, and the website configured to accept secure connections.
Test your Installation
To verify that the installation is correct, use our ¶ºÒõ¹Ý® SSL Installation Diagnostics Tool and enter the DNS name of the site (i.e. www.yourdomain.com, or mail.yourdomain.com) that you are securing to test your SSL Certificate.
Troubleshooting
If you run into certificate errors, try repairing your certificate trust errors using ¶ºÒõ¹Ý® Certificate Utility for Windows. If this does not fix the errors contact support.
Additional Information
To enable your SSL certificate for use on other Windows servers, see IIS 8 and IIS 8.5: How to Import and Export SSL Certificates.
IIS 8/8.5 and Windows Server 2012/2012 R2 have the Server Name Indication-SNI feature, which you can use to host multiple SSL sites and certificates on a Single IP Address based on Host Headers on your IIS 8 server.
Office 365: How to Install Your SSL Certificate Using IIS 7
Using IIS 7 to Install the SSL Certificate
After ¶ºÒõ¹Ý validates and issues your SSL Certificate, you can use IIS to install your SSL Certificate to the server where you generated the CSR. Then, you can use IIS to bind the certificate to the default website (HTTPS port 443).
-
Open the ZIP file containing your SSL Certificate and save the SSL Certificate file (your_domain_name.cer) to the desktop of your AD FS server.
-
Open Internet Information Services (IIS) Manager.
In the Windows Start menu, click Administrative Tools > Internet Information Services (IIS) Manager.
-
In Internet Information Services (IIS) Manager, under Connections, select your server¡¯s Hostname.
-
In the center menu, in the IIS section, double-click the Server Certificates icon.
-
In the Actions menu, click Complete Certificate Request to open the Complete Request Certificate wizard.
-
In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, under File name containing the certification authority¡¯s response, click ¡ to browse to the .cer certificate file that ¶ºÒõ¹Ý sent you, select the file, and then, click Open.
-
Next, in the Friendly name box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.
We recommend that you add ¶ºÒõ¹Ý and the expiration date to the end of your friendly name, for example: yoursite-¶ºÒõ¹Ý-expirationDate. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
-
To install the SSL Certificate to the server, click OK.
Known Issue in IIS 7:
There is a known issue in IIS 7 where the following error message is displayed: "Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created." You may also receive a message stating: "ASN1 bad tag value met".
Solution:
If this is the server where you generated the CSR, in most cases, the certificate is actually installed. Simply close Internet Information Services (IIS) Manager and reopen it to refresh the list of server certificates. The new certificate should now be in the list, and you can continue with the next step.
If the new certificate is not in the list, you need to one of the following things:
-
Reissue your certificate.
-
Create a new CSR.
See Microsoft Office 365: SSL Certificate CSR Creation (IIS).
-
After creating a new CSR, login to the ¶ºÒõ¹Ý® Management Console (your account).
-
Next to your certificate, click Re-Key Your Certificate.
-
-
Use the ¶ºÒõ¹Ý® Certificate Utility for Windows to import the certificate to your IIS 7 server.
See SSL Certificate Importing Instructions: ¶ºÒõ¹Ý® Certificate Utility for Windows.
-
-
Once you have successfully installed the SSL Certificate to the server, you still need use IIS to assign or bind that certificate to the default website (HTTPS port 443).
Using IIS 7 to Assign the Certificate to the Default Website
-
In Internet Information Services (IIS) Manager, under Connections, expand your server¡¯s name, expand Sites, and then select the Default Web Site site.
-
In the Actions menu, under Edit Site, click Bindings.
-
In the Site Binding window, click Add.
-
In the Add Site Bindings window, enter the following information and then, click OK:
Type: In the drop-down list, select https. IP address: In the drop-down list, select All unassigned. If your server has multiple IP addresses, select the one that applies. Port: Enter 443, unless you are using a non-standard port for SSL traffic. SSL certificate: In the drop-down list, select the friendly name of the certificate that you just installed. -
Your SSL certificate is now installed, and the website configured to accept secure connections.
Test your Installation
To verify that the installation is correct, use our ¶ºÒõ¹Ý® SSL Installation Diagnostics Tool and enter the DNS name of the site (i.e. www.yourdomain.com, or mail.yourdomain.com) that you are securing to test your SSL Certificate.
Troubleshooting
If you run into certificate errors, try repairing your certificate trust errors using ¶ºÒõ¹Ý® Certificate Utility for Windows. If this does not fix the errors contact support.
Additional Information
To enable your SSL certificate for use on other Windows servers, see How to Import and Export SSL Certificates in IIS 7.