Obtaining and Installing Server Certificates

Applies To: Windows Server 2003, Windows Server 2003 with SP1

You can obtain server certificates from an outside certification authority (CA), or you can issue your own server certificates by using Microsoft Certificate Services.

Use Microsoft Certificate Services to create a customizable service for issuing and managing certificates. You can create server certificates for the Internet or for corporate intranets, giving your organization complete control over certificate management policies.

Obtaining Server Certificates from a certification authority

If you are replacing your current server certificate, IIS will continue to use the old certificate until the new request has been completed.

When you are choosing a certification authority (CA), consider the following questions:

  • Will the CA be able to issue a certificate that is compatible with all of the browsers used to access my server?

  • Is the CA a recognized and trusted organization?

  • How will the CA provide verification of my identity?

  • Does the CA have a system for receiving online certificate requests, such as requests generated by the IIS Web Server Certificate Wizard?

  • How much will the certificate cost initially, and how much will renewal or other services cost?

  • Is the CA familiar with my organization or my company's business interests?

Issuing Your Own Server Certificates

When deciding whether to issue your own server certificates, consider the following:

  • Microsoft Certificate Services accommodates different certificate formats and provides for auditing and logging of certificate-related activity.

  • Compare the cost of issuing your own certificates against the cost of buying a certificate from a certification authority.

  • Remember that your organization will require an initial adjustment period to learn, implement, and integrate Certificate Services with existing security systems and policies.

  • Assess the willingness of your connecting clients to trust your organization as a certificate supplier.

Assigning Resources to Server Certificates

Use the following guidelines when assigning IP addresses, Web sites, and SSL ports to your server certificates:

  • Each Web site can have only one server certificate assigned to it.

  • One certificate can be assigned to multiple Web sites.

  • You can assign multiple IP addresses per Web site.

  • You can assign multiple SSL ports per Web site.

Installing Server Certificates

After obtaining a server certificate from a CA, or after issuing your own server certificate using Certificate Services, use the Web Server Certificate Wizard to install it. When you use the Server Certificate Wizard to obtain and install a server certificate, the process is referred to as creating and assigning a server certificate. For instructions on how to install your server certificate, see Requesting a New Server Certificate from an Online CA.

Backing Up Server Certificates

The Web Server Certificate Wizard is used to back up server certificates. Because IIS works closely with Windows, you can also use Certificate Manager, which is called "Certificates" in Microsoft Management Console (MMC), to export and back up your server certificates.