Use the ¶ºÒõ¹Ý® Certificate Utility for Windows to create a CSR and install your SSL certificate on Windows Server 2012

These instructions explain how to use the ¶ºÒõ¹Ý Certificate Utility for Windows with IIS 8 and IIS 8.5 to create your CSR, to install your SSL certificate, and to configure your Windows Server 2012 to use the certificate.

¶ºÒõ¹Ý Certificate Utility for Windows

For a simpler way to create your CSRs (Certificate Signing Requests) and install and manage your SSL certificates, we recommend that you use the ¶ºÒõ¹Ý Certificate Utility. For more information about our utility, see ¶ºÒõ¹Ý Certificate Utility.

Use the instructions on this page to create your certificate signing request (CSR) and to install and configure your SSL certificate.

  1. To create your CSR, see Windows Server 2012: Creating Your CSR with the ¶ºÒõ¹Ý Utility.

  2. To install your SSL certificate, see Windows Server 2012: Using the ¶ºÒõ¹Ý Utility & IIS 8 or IIS 8.5 to Install and Configure Your SSL Certificate.

If you prefer not to use the ¶ºÒõ¹Ý Utility, or for some reason cannot use the utility, see IIS 8 and IIS 8.5: Create CSR and Install SSL Certificate.

Step 1: Create Your CSR on Windows Server 2012 with the ¶ºÒõ¹Ý Utility

The ¶ºÒõ¹Ý Certificate Utility for Windows streamlines the CSR creation process by providing easy, one-click CSR creation and certificate installation.

How to Create Your CSR with the ¶ºÒõ¹Ý Utility

  1. On your Windows Server 2012, download and save the ¶ºÒõ¹Ý Certificate Utility executable (¶ºÒõ¹ÝUtil.exe).

  2. Open the ¶ºÒõ¹Ý Certificate Utility (double-click ¶ºÒõ¹ÝUtil).

  3. In the ¶ºÒõ¹Ý Certificate Utility for Windows©, click SSL (gold lock), and then, click Create CSR.

    ¶ºÒõ¹Ý Utility Create CSR

  4. On the Create CSR page, provide the following information below and then click Generate.

    Certificate Type: Select SSL.
    Common Name: The fully-qualified domain name (FQDN) (e.g., www.example.com).
    Subject Alternative Names: If you are requesting a Multi-Domain (SAN) Certificate, enter any SANs that you want to include
    (e.g., www.example.com, www.example2.com, and www.example3.net).
    Organization: Your company¡¯s legally registered name (e.g., YourCompany, Inc.).
    Department: The name of your department within the organization. This entry will usually be listed as "IT", "Web Security", or is simply left blank.
    City: The city where your company is legally located.
    State: Use the drop-down list to select the state where your company is legally located.
    Note: If your company is located outside the US, you can type the applicable name in the box.
    Country: Use the drop-down list to select the country where your company is legally located.
    Key Size: In the drop-down list, select 2048 (unless you have a specific reason for using a larger bit length).
    Provider: In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider (unless you have a specific cryptographic provider).

    Enter CSR Details

  5. On ¶ºÒõ¹Ý Certificate Utility for Windows© - Create CSR page, do one of the following:

    Click Copy CSR. Copies the certificate contents to the clipboard. Use this option if you are ready to paste the CSR into the ¶ºÒõ¹Ý order form.
    Note: Because the ¶ºÒõ¹Ý Certificate Utility does not store CSRs, we recommend you paste the CSR into a text editor (such as Notepad) when using this option. If you close the CSR page and accidentally overwrite the clipboard contents without doing this, you will need to generate a new CSR.
    Click Save to File. Saves the CSR as a .txt file to the Windows Server 2012. (We recommend using this option.)

    Save or Copy CSR Contents

  6. Click Close.

  7. If you saved the CSR to a file, open the CSR file using a text editor (such as Notepad). Then, copy the text (including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags), and paste it into the ¶ºÒõ¹Ý order form.

    Ready to order your SSL certificate

    Learn More
  8. After receiving your SSL certificate from ¶ºÒõ¹Ý, you can use the ¶ºÒõ¹Ý Certificate Utility to install it.

Step 2: Install Your SSL Certificate on Windows Server 2012 Using the ¶ºÒõ¹Ý Utility

If you haven¡¯t created your CSR with the ¶ºÒõ¹Ý Certificate Utility and ordered your SSL certificate, see?Windows Server 2012: Creating Your CSR with the ¶ºÒõ¹Ý Utility.

After ¶ºÒõ¹Ý validates your order and issues your SSL certificate, you can use the ¶ºÒõ¹Ý Certificate Utility to install the certificate file to your Windows Server 2012. Then you can use IIS 8 or IIS 8.5 to configure the server to use it.

To install your SSL certificate on your Windows Server 2012, complete the steps below.

  1. Import your SSL certificate to your Windows Server 2012 using the ¶ºÒõ¹Ý Certificate Utility.

  2. Configure your Windows Server 2012 to use the SSL certificate using IIS 8 or IIS 8.5.

i. Import Your SSL Certificate Using the ¶ºÒõ¹Ý Certificate Utility

After ¶ºÒõ¹Ý issues your SSL certificate, you can use the ¶ºÒõ¹Ý Certificate Utility to install the certificate file to your Windows Server 2012.

Microsoft Certificate Store Note:
When you use the ¶ºÒõ¹Ý Certificate Utility to import/install your SSL certificates, it will place the certificates in the Personal store instead of the Web Hosting store. If you have less than 30 certificates, this will not be a problem. However, if you are managing 30 or more certificates, you will need to move your certificates to the Web Hosting store, which was designed for a greater number of certificates. See Move a Certificate from the Personal Store to the Web Hosting Certificate Store.

How to Import an SSL Certificate to Your Windows Server 2012

  1. On the Windows 2012 server, where you created the CSR, extract the contents of the ZIP file you received from ¶ºÒõ¹Ý (e.g., your_domain_com.cer) to the folder where you saved the ¶ºÒõ¹Ý Certificate Utility executable (¶ºÒõ¹ÝUtil.exe).

  2. Open the ¶ºÒõ¹Ý Certificate Utility (double-click ¶ºÒõ¹ÝUtil).

  3. In the ¶ºÒõ¹Ý Certificate Utility for Windows©, click SSL (gold lock) and then, click Import.

    Import an SSL Certificate

  4. In the Certificate Import wizard, click Browse to locate the .cer certificate file you received from ¶ºÒõ¹Ý (e.g., your_domain_com.cer), and click Open.

    Certificate Import wizard

  5. Click Next

  6. In the Enter a new friendly name or you can accept the default box, type a friendly name for the certificate.

    Note: The friendly name is not part of the certificate; instead, it is used to identify the certificate. We recommend that you add the issuing CA (e.g., ¶ºÒõ¹Ý) and the expiration date to the end of your friendly name; for example, yoursite-digicert-(expiration date). Doing this helps identify the issuer and expiration date for each certificate and also helps distinguish multiple certificates with the same domain name.

    Certificate Import wizard

  7. To import the SSL certificate to your server, click Finish.

  8. You should receive a message that the certificate was successfully imported, and you should now see your SSL certificate in the ¶ºÒõ¹Ý Certificate Utility for Windows©.

    Import an SSL Certificate

  9. (Optional) Repeat the process as needed for each additional SSL certificate.

  10. Now that you've successfully installed your SSL certificate, you need to assign the certificate to the appropriate site.

ii. Configure the Server to Use Your SSL Certificate Using IIS 8 or IIS 8.5

After importing your SSL certificate to your Windows Server 2012, you must configure IIS to use the newly imported certificate to secure your website.

(Single Certificate) How to configure the server to use your SSL certificate

  1. On the Windows Server 2012 where you imported your SSL certificate with the ¶ºÒõ¹Ý Certificate Utility, open Internet Information Services (IIS) Manager.

    From the Start screen, find Internet Information Services (IIS) Manager and open it.

  2. In Internet Information Services (IIS) Manager, in the Connections pane, expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to secure using the SSL certificate.

    IIS 8 Web Site Home Page Bindings

  3. On the website Home page, in the Actions menu (right pane), click Bindings.

  4. In the Site Bindings window, click Add.

    IIS 8 Site Bindings Window (Unconfigured)

  5. In the Add Site Binding window, do the following and then click OK.

    Type: In the drop-down list, select https.
    IP address: In the drop-down list, select the IP address of the site or select All Unassigned.
    Port: Type 443. (SSL uses port 443 to secure traffic.)
    SSL certificate: In the drop-down list, select your new SSL certificate (e.g., yourdomain.com).

    IIS 8 Add Site Binding Dialog

  6. Your SSL certificate is now installed, and the website is configured to accept secure connections.

    IIS Site Bindings Window (Configured)

(Multiple Certificates) How to install your SSL certificates and configure the server to use them using SNI

If you have not imported all your SSL certificates, see Import Your SSL Certificate Using the ¶ºÒõ¹Ý Certificate Utility.

These instructions explain how to install multiple SSL certificates and assign them using SNI. The process is split into two parts as follows:

Assign the First SSL Certificate

Do this first set of instructions only once (for the first SSL certificate).

  1. On the Windows Server 2012 where you imported your SSL certificate with the ¶ºÒõ¹Ý Certificate Utility, open Internet Information Services (IIS) Manager.

    From the Start screen, find Internet Information Services (IIS) Manager and open it.

  2. In Internet Information Services (IIS) Manager, in the Connections pane, expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to secure using the SSL certificate.

    IIS 8 Web Site Home Page Bindings

  3. On the website Home page, in the Actions menu (right pane), click Bindings.

  4. In the Site Bindings window, click Add.

    IIS 8 Site Bindings Window (Unconfigured)

  5. In the Add Site Binding window, do the following and then click OK.

    Type: In the drop-down list, select https.
    IP address: In the drop-down list, select the IP address of the site or select All Unassigned.
    Port: Type 443. (SSL uses port 443 to secure traffic.)
    SSL certificate: In the drop-down list, select the SSL certificate you installed in Step 7 (e.g., yourdomain.com).

    IIS 8 Add Site Binding Dialog

  6. Your first SSL certificate is now installed, and the website is configured to accept secure connections.

    IIS 8 Site Bindings Window (Configured)

Assign All Additional SSL Certificates

To assign each additional SSL certificate, repeat the steps below (as needed).

  1. In Internet Information Services (IIS) Manager, in the Connections pane, expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to secure using the SSL certificate.

    IIS 8 Web Site Home Page Bindings

  2. On the website Home page, in the Actions menu (right pane), click Bindings.

  3. In the Site Bindings window, click Add.

    IIS 8 Site Bindings Window (Unconfigured)

  4. In the Add Site Binding window, do the following and then click OK.

    Type: In the drop-down list, select https.
    IP address: In the drop-down list, select the IP address of the site or select All Unassigned.
    Port: Type 443. (SSL uses port 443 to secure traffic.)
    Host name: Type the host name that you want to secure.
    Require server name indication: Select this checkbox after you enter the host name.

    Note: This option is required for any additional certificates/sites after installing the first certificate on the primary site.
    SSL certificate: In the drop-down list, select the SSL certificate you installed (e.g., yourdomain.com).

  5. You have successfully installed another SSL certificate and configured the website to accept secure connections.

Test Installation

If your website is publicly accessible, our ¶ºÒõ¹Ý® SSL Installation Diagnostic Tool can help you diagnose common problems.

Additional Information