Obtaining and Backing Up SSL Certificates

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

Secure Sockets Layer (SSL) certificates contain information used in establishing identities over a network, a process called authentication. Similar to conventional forms of identification, certificates enable Web servers and users to authenticate each other before establishing a connection.

Server certificates contain information about the server that allows the client to positively identify the server before sharing sensitive information. Client certificates contain personal information about the clients requesting access to your site that allow you to positively identify them before allowing them access to the site.

This topic is limited to obtaining, installing and backing up server certificates. For information about obtaining client certificates, see Obtaining Client Certificates in IIS 6.0.

There are two ways to obtain a server certificate. You can issue your own certificate, or you can obtain a certificate from a certification authority.

Important

You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".

Procedures

To issue your own server certificate

  1. Use Microsoft Certificate Services 2.0 to create a customizable service for issuing and managing certificates. You can create server certificates for the Internet or for corporate intranets, giving your organization complete control over certificate management policies. For more information, see Microsoft Certificate Services Help.

    -or-

    Use the Web Server Certificate Wizard to request and install your server certificate.

To obtain a server certificate from a certification authority

  1. Find a certification authority that provides services that meet your business needs and then request a server certificate.

    -or-

    Use the Web Server Certificate Wizard to create a certificate request, which you can send to the certification authority.

  2. After the certificate has been processed and returned to you, use the Web Server Certificate Wizard to install the certificate.

It is important to safeguard the certificate and key pair; always back them up to a disk and keep the disk in a secure place.

To create a backup copy of your server certificate and private key

  1. Locate the correct certificate store. This is typically the Local Computer store in Certificate Manager.

  2. If you do not have Certificate Manager installed in Microsoft Management Console (MMC), you need to install it.

  3. Right-click the certificate in the Personal store, point to All Tasks, and click Export.

  4. Select Yes, export the private key.

  5. Follow the wizard default settings, and enter a password for the certificate backup file when prompted.

  6. Do not select Delete the private key if export is successful, because this will disable your current server certificate.

  7. Complete the wizard to export a backup copy of your server certificate.

If you already have Certificate Manager installed in MMC, it points to the correct Local Computer certificate store.

To add Certificate Manager to MMC

  1. From the Start menu, click Run.

  2. In the Open box, type mmc, and then click OK. The Microsoft Management Console appears.

  3. In the File menu, click Add/Remove Snap-in.

  4. On the Standalone tab, click Add.

  5. From the Available Standalone Snap-ins list box, click Certificates, and click Add.

  6. Click the Computer account option, and click Next.

  7. Click the Local computer (the computer this console is running on) option, and click Finish.

  8. Click Close, and then click OK.