IIS: Make sure that your certificates are current

  • Article

Applies To: Windows Server 2008 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Internet Information Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2

Product/Feature

Internet Information Services

Severity

Warning

Category

Security

Issue

SSL Binding '<BindingIPAddress>:<BindingPortNumber>:' has a certificate that has expired, or will expire in 30 days. The certificate has thumbprint '<CertificateHash>' and is located in store '<CertificateStoreName>'.

Impact

An expired certificate becomes invalid and can prevent users from accessing your site.

Resolution

Renew the certificate or choose a new certificate for the site.

   

To renew a certificate from an external certification authority (CA) such as Verisign, or from an internal (enterprise) CA, contact the certification authority. To import a valid certificate for a site, see the section "Importing a valid certificate for a site."

Warning

You cannot renew a certificate that has already expired. If you try to renew a certificate that has expired, the certification authority (CA) will reject the request, and you will see an error message similar to "Error Verifying Request Signature or Signing Certificate. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." This message will also be displayed in the Failed Requests node of the issuing CA. If your certificate has already expired, you must request a new certificate instead of renewing the existing certificate.

Warning

You cannot renew self-signed certificates.

Important

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Importing a valid certificate for a site

If you have a valid server certificate, you can import it and assign it to your site's HTTPS binding.

To import a valid certificate for a site

  1. Click Start, click Control Panel, and then click Administrative Tools.

  2. Right-click Internet Information Services (IIS) Manager and select Run as administrator.

  3. In the Connections pane on the left, select the computer that contains the site.

  4. In Features View, select Server Certificates.

  5. In the Actions pane, select Open Feature.

  6. In the Actions pane, select Import.

  7. In the Import Certificate dialog, under Certificate file, browse to the file location of the certificate that you want to import.

  8. Under Password, type the password for the certificate.

  9. Click OK.

Important

To use an imported certificate for a site, you must assign the certificate to an HTTPS binding for the site. To do this, perform the following steps.

To assign a certificate to an HTTPS binding for the site

  1. In the IIS Manager Connections pane, select the computer that has the site that you want to configure.

  2. Expand the computer that you selected, then expand Sites.

  3. Select the site that you want to configure.

  4. In the Actions pane, click Bindings.

  5. In the Site Bindings dialog, click Add.

  6. In the Add Site Binding dialog, under Type, select https.

  7. Under IP address, select the IP address that you want to use for the binding.

  8. Under Port, type the port number that you want to use for the binding.

  9. Under SSL certificate, select the certificate that you imported in the previous procedure.

  10. Click OK to add the site binding.

  11. Click Close to exit the Site Bindings dialog.