Using Certificate Wizards

Applies To: Windows Server 2003, Windows Server 2003 with SP1

IISĀ 6.0 includes the following wizards that simplify the tasks necessary to establish and maintain communications for a Web site using server certificates:

  • Web Server Certificate Wizard. Obtain and manage server certificates, which are used in negotiating a link between your server and a user's browser.

  • Certificate Trust List Wizard. Manage certificate trust lists (CTLs), which are lists of certification authorities that are trusted by each Web site or virtual directory.

The Web Server Certificate Wizard

In IIS, you can obtain, configure, and renew server certificates using the Web Server Certificate Wizard. The wizard detects whether a server certificate has already been installed and whether it is about to expire. Use the wizard to perform the following tasks:

  • Create a certificate request.

  • Replace the server certificate with another one from a certification authority (CA), from an online CA, such as Microsoft Certificate Services, or from a file previously obtained in Key Manager.

  • Reassign a certificate from one Web site to another Web site.

  • View certificates.

When creating a new certificate, the Web Server Certificate Wizard allows you to choose the strength of encryption, the type of certificate, and a cryptographic service provider for your certificate.

Online requests for server certificates can be made only to local and remote Enterprise Certificate Services and remote Stand-alone Certificate Services. The IIS Web Server Certificate Wizard does not recognize a stand-alone installation of Certificate Services on the same computer when requesting a certificate. To get around this, use the offline certificate request to save the request to a file and then process as an offline request. For more information about offline requests, see "Certificate Services Help" in Help and Support Center for Windows Server 2003.

If you are not using an online certification authority, you will need to save the request file generated by the Web Server Certificate Wizard to disk and send it to the CA. When the response is received, you can start the wizard and it will begin where it left off. If you are replacing a certificate, IIS will continue to use the old certificate until the new request is completed.

The Certificate Trust List Wizard

Use the Certificate Trust List Wizard to obtain and manage certificate trust lists (CTLs). A CTL is a list of trusted certification authorities (CA) for a particular Web site. By configuring your CTL, you can allow client certificates issued by one CA to be used but not from another CA. CTLs are especially useful for Internet Service Providers (ISPs) who have several Web sites on their server and who need to have a different list of approved certification authorities for authenticating clients at each site. CTLs are available only at the Web site level and are not available for FTP sites.