Use the ¶ºÒõ¹Ý®?Certificate Utility for Windows to create a CSR and install your new SSL certificate?on your Windows Server 2016

When it's time to renew your SSL certificate, you can use the ¶ºÒõ¹Ý® Certificate Utility for Windows, to simply the process.

These instructions explain how to use the ¶ºÒõ¹Ý®?Certificate Utility for Windows, your ¶ºÒõ¹Ý account, and IIS 10 to create your CSR, renew your SSL certificate, to install your certificate, and to use IIS 10 to configure your Windows Server 2016 to use the new certificate.

Process for Renewing Your SSL Certificate:

  1. Create your CSR with the ¶ºÒõ¹Ý Certificate Utility.

    How to Create Your CSR with the ¶ºÒõ¹Ý Utility.

  2. Renew your SSL certificate from your ¶ºÒõ¹Ý account.

    How to Renew Your SSL Certificate

  3. Install your new SSL certificate on your Windows Server 2016 with the ¶ºÒõ¹Ý Certificate Utility.

    How to Import Your SSL Certificate to Your Server with the ¶ºÒõ¹Ý Utility.

  4. Use IIS 10 to configure your server to use the new SSL certificate.

    How to Use IIS 10 to Assign Your New SSL Certificate.

 

I. How to Create Your CSR with the ¶ºÒõ¹Ý Utility

Best practices are to generate a new certificate signing request (CSR) when renewing your SSL certificate.

  1. On the Windows Server 2016 with the expiring certificate, download and save the?¶ºÒõ¹Ý® Certificate Utility for Windows executable (¶ºÒõ¹ÝUtil.exe).

  2. Run the ¶ºÒõ¹Ý® Certificate Utility for Windows.

    Double-click ¶ºÒõ¹ÝUtil.

  3. In the ¶ºÒõ¹Ý Certificate Utility for Windows©, click SSL (gold lock), select the expiring certificate, and then click Create CSR.

    Create a renewal CSR in Windows

  4. In the "Would you like to import the attributes from 'certificate' into the new CSR?" window, click Yes.

    Create a renewal CSR in Windows

  5. On the Create CSR page, verify that all the certificate details are correct and then click Generate.

    Create a renewal CSR in Windows

  6. On ¶ºÒõ¹Ý Certificate Utility for Windows© - Renew Certificate page, do one of the following, and then, click Close:

    Click Copy CSR. Copies the certificate contents to the clipboard.
    If you use this option, we recommend that you paste the CSR into a tool such as Notepad.
    If you forget and copy some other item, you still have access to the CSR, and you do not have to go back and recreate it.
     
    Click Save to File. Saves the CSR as a .txt file to the Windows Server 2016.
    We recommend that you use this option.

    Copy CSR to Clipboard

 

II. How to Renew Your SSL Certificate

Renew your SSL certificate from inside your ¶ºÒõ¹Ý CertCentral account.

Are you new to the ¶ºÒõ¹Ý team? You can "replace" your certificate with a ¶ºÒõ¹Ý certificate. Order your new certificate here - Purchase Your ¶ºÒõ¹Ý Certificate.

  1. Log into your?CertCentral account.

  2. In CertCentral, in the left main menu, click Certificates > Expiring Certificates.

  3. On the Expiring Certificates page, next to the certificate you want to renew, click Renew Now.

    A certificate doesn't appear on the Expiring Certificates page until 90 days before it expires.

  4. Follow the instructions provided inside your account to renew your SSL certificate.

  5. Add your CSR

    When renewing the certificate, you'll need to include a CSR. On the "Renewal" page, under Certificate Settings, upload the CSR file you saved to the server.

    You can also use a text editor (such as Notepad) to open the file. Then, copy the text, including the?-----BEGIN NEW CERTIFICATE REQUEST-----?and?-----END NEW CERTIFICATE REQUEST-----?tags, and paste it in the Add Your CSR box.

  6. After you place the order to renew your certificate, ¶ºÒõ¹Ý verifies your information.

  7. If we need any additional information, we will promptly contact you by phone or email. If no additional information is required, we will most likely issue your certificate within an hour.

 

III. How to Import Your SSL Certificate to Your Server with the ¶ºÒõ¹Ý Utility

Once your renewal SSL Certificate has been issued, run the ¶ºÒõ¹Ý Certificate Utility to import it to your Windows server 2016.

Microsoft Certificate Store Note:

When you use the ¶ºÒõ¹Ý? Certificate Utility for Windows to import/install your SSL certificates on your Windows Server 2016, it will place the certificates in the?Personal?store instead of the?Web Hosting?store. If you have less then 20 to 30 certificates, this will not be a problem.

However, if you are managing 30 or more certificates you will need to move your certificates to the?Web Hosting?store, which was designed to scale to a greater number of certificates. See?Move a Certificate from the Personal Store to the Web Hosting Certificate Store.

Importing Your New SSL Certificate to Your Windows Server 2016

  1. On the Windows Server 2016, where you created the CSR, open the ZIP file containing your SSL certificate and save the contents of the file (e.g.,?your_domain_com.cer) to the folder where you saved the ¶ºÒõ¹Ý Certificate Utility executable (¶ºÒõ¹ÝUtil.exe).

  2. Run the ¶ºÒõ¹Ý Certificate Utility.

    Double-click ¶ºÒõ¹ÝUtil.

  3. In ¶ºÒõ¹Ý Certificate Utility for Windows©, click SSL (gold lock) and then click Import.

    Import an IIS 8 .cer certificate

  4. In the Certificate Import wizard, click Browse, browse to the .cer certificate file (e.g., your_domain_com.cer) that ¶ºÒõ¹Ý sent you, select the file, click Open, and then, click Next.

    Import your_domain_com.cer

  5. In the Enter a new friendly name or you can accept the default box, type a friendly name for the certificate.

    Note: The friendly name is not part of the certificate. It is used to identify the certificate.

    We recommend adding ¶ºÒõ¹Ý and the expiration date to the end of your friendly name, for example: yoursite-digicert-(expiration date). This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.

    Assign a Friendly Name

  6. To import the SSL Certificate to your server, click Finish.

    You should receive?"Your certificate has been successfully imported"?message. You are now ready to assign/configure your Windows server 2016 to use the renewed SSL certificate.

    Note: If you are managing 30 or more certificates you will need to move your certificates to the Web Hosting store, which was designed to scale to a greater number of certificates. See?Move a Certificate from the Personal Store to the Web Hosting Certificate Store.

 

IV. How to Use IIS 10 to Assign Your New SSL Certificate

After importing your new SSL certificate to your Windows Server 2016, you need to use IIS 10 to assign the newly imported certificate to secure your website.

If you have not yet created your certificate signing request (CSR) and ordered your certificate, see How to Create Your CSR with the ¶ºÒõ¹Ý Utility.

  1. On the Windows Server 2016 to where you imported your SSL certificate with the ¶ºÒõ¹Ý Certificate Utility, open Internet Information Services (IIS) Manager.

    In the?Windows?start menu, type?Internet Information Services (IIS) Manager?and open it.

  2. In?the Internet Information Services (IIS) Manager, in the?Connections?menu tree (left pane), expand the name of the server on which the certificate was installed. Then expand?Sites?and select the site with the expiring SSL certificate.

    IIS Manager

  3. On the website?Home?page, in the?Actions?menu (right pane), under?Edit Site, click the?µþ¾±²Ô»å¾±²Ô²µ²õ¡­?link.

  4. In the Side Bindings window, select binding for https and then click Edit.

    IIS Manager Site Binding

  5. In the?Edit Site Binding?window, in the?SSL certificate?drop-down list, select your newly installed SSL Certificate by its friendly name and then, click?OK.

    IIS Manager Edit Site Binding

  6. Your new SSL Certificate is now installed to the website.

Test Your Installation

If your website is publicly accessible, you can use our?¶ºÒõ¹Ý® SSL Installation Diagnostics Tool to verify that the installation is correct. On the ¶ºÒõ¹Ý® SSL Installation Diagnostics Tool page, enter the DNS name of the site (e.g., www.yourdomain.com, or mail.yourdomain.com) that you are securing to test your SSL certificate.

Troubleshooting

After you¡¯ve installed the certificate on to the Windows server, if you run into certificate errors, try repairing your certificate trust errors using?¶ºÒõ¹Ý® Certificate Utility for Windows. If this does not fix the errors, contact support.