Today I had to install a renewed certificate for a HTTPS web server. Here are the steps I followed.
Create (or reauthenticate) your account
- go to https://www.startssl.com/ and authenticate (or sign-up or use the express lane button).
- This process involves entering a authentication code send to your e-mail address.
- Follow the procedure, everything is pretty straightforward. Don’t forget to backup your certificate which is installed in your browser. If you reinstall your pc, you will need this certificate to gain access to your account.
Do e-mail validations first
The first catch. If you want to create a certificate for another domain.
First do a “email address validation” in the validations wizard for the domain you will be creating a certificate for. If you want to create a certificate for domainxyz.com, then first do an email validation for postmaster, hostmaster or firstname.lastname@example.org. For the .com TLD you might have other possibilities also.
If you did not validated this e-mail address, you won’t receive any verification codes on this e-mail address.
Create a certificate
If you follow all instructions on the “certificates wizard”. If you let startssl generate your private key, you should have a at least the following files at hand
- ssl.key (the encrypted private key)
- ssl.crt (the certificate or public key)
The SSL.crt could be used on a windows server, but that would be only the public key. For HTTPS you also need the private key, because you need to decrypt the encrypted data. So you will need to link the private key and the certificate together as we will describe in the next steps.
Decrypt private key
First go to the toolbox and click the “decrypt private key”.
Paste in the content of the ssl.key file, enter your password which you provided in the previous step.
You now have a DECRYPTED private key. Copy this decrypted key.
Create Certificate for IIS
Now go to “Create PKCS#12” in the toolbox. Paste the decrypted key in the first box (private key). And paste the content of the ssl.crt file in the second box. Provide a new password to protect the file you will be creating.
Now download the PFX and use this file to install the certificate on your IIS 7.0/7.5 or higher.
Install the certificate
Open Inetmgr (Internet Information Services – IIS Manager) and open the “server certificates” on server level.
Click the “IMPORT” button and supply the PFX you just created (and uploaded?). You might not have the right file extension, but that is no problem. Just choose *.* as file type, select the file. Finish off with your password, before hitting return.
Redefine bindings of website
Go to your HTTPS site,
- click “Bindings”
- “Edit” the https (port 443) line
- choose the right SSL certificate
- hit “OK”,
- and click the “Close” button
If you want to verify that the certificate is there, open certmgr.msc
Hope it helped