Virtualization Howto

Share SSL Certificates Between Multiple IIS Servers with Centralized Certificates

Share-SSL-Certificates-Between-Multiple-IIS-Servers-with-Centralized-Certificates

Managing certificates is probably one of the most cumbersome and administratively burdensome tasks that IT admins have to carry out on a day-to-day basis. This is especially true if you have multiple web servers that may be forward facing in a load balanced farm. There may be multiple servers that have multiple websites configured with different certificate configurations. Managing and scaling your SSL certificates across such an environment would be very labor intensive and tedious. Is there a way to centralize SSL cert management with Windows Server IIS? Yes. This is accomplished through the use of Centralized Certificate Store (CCS). Let’s take a look at how to share SSL Certificates between multiple IIS servers with Centralized Certificates.

What is Centralized Certificate Store CCS?

As the heading gives away, CCS stands for Centralized Certificate Store and has been around since Windows Server 2012 and higher. This may be a feature that you haven’t heard about or haven’t used in your environment. However, it is a great feature to manage SSL certificates, especially in environments where there are many sites and servers with multiple SSL certificates. In essence, instead of storing the SSL certificates locally on each server, the SSL certificates are stored in a central file share . How does Centralized Certificate Store (CCS) work?

Centralized Certificate Store CCS is a component of the Web Server Role in Windows Server 2012 and higher that allows you to have a shared configuration between Windows Server IIS Servers for SSL Certificates. Typically, most IT admins will make use of the certificates that are stored in the My Computer Personal store for certificates.

This has worked in the past and continues to work, even with modern versions of Windows Server . There isn’t an issue with utilizing this same approach. However, it does not scale very well. As mentioned, if you have a web farm with many servers perhaps using the same exact certificate, importing the same SSL cert and private key into each server can be tedious. A much better approach would be to centralize and share the SSL certificate that is used across the web farm members so the SSL cert lives in one location and the member servers of the web farm can all reach the same cert for encrypting the web traffic.

When the certificate comes up again for renewal, the same process has to be repeated across the board to import and install the new renewed certificate for the IIS website on each server. Centralized Certificate Store, again, helps to resolve this issue.

There are also some minor performance improvements for SSL communication when using CCS for serving out SSL certificates. When using CCS, there is only one binding and the certs are loaded on demand and cached for future use. In this way the memory consumption is reduced and there is a slight performance gain.

Installing Centralized Certificate Store (CCS)

Installing the Centralized Certificate Store Centralized SSL support for Windows Server IIS is easy. The Web Server subcomponent is found under the Web Server (IIS) > Web Server > Security section.

Installing-Centralized-Certificate-Store-CCS-for-Windows-Server-IIS

Other Requirements for Centralized Certificate Store (CCS)

What other requirements are needed for the CCS to work correctly? Aside from installing the sub component for IIS Web Server, you need to have:

  • File share – You need to have a centralized share that will be accessible from each server that will be making use of the shared SSL certificate
  • Certificates – You need a certificate in the PFX format that contains both the public and private keys
  • File naming formatted correctly – For IIS to find the exact file, a naming convention has to be used while storing certificates on the  CCS file share . As per naming convention the name of the certificate should be: subject name of the cert . CCS will look for an SSL cert with this exact name when looking in the CCS share.

To start configuring the Centralized Certificates Store CCS for use with serving out SSL certs for your IIS websites, navigate to the IIS server name > Management > Centralized Certificates .

Launching-centralized-certificates-in-Windows-Server-2019-IIS

Click the Edit Feature Settings link to begin configuration.

Edit-feature-settings-of-Centralized-Certificate-Store

This launches the Edit Centralized Certificates configuration dialog box. Points of configuration to make note of:

  • Enable Centralized Certificates (Enable the checkbox)
  • Physical Path
  • Certificate Private Key Password (Optional)

Enable-Centralized-Certificates-configuration-in-IIS

In the share, I have placed the PFX certificate for sharing between servers.

Place-an-SSL-cert-in-the-shared-folder-for-Centralized-Certificates

Automatically, the Centralized Certificates dashboard shows the certificate found in the share.

Centralized-Certificates-sees-the-certificates-found-in-the-shared-directory

Configure IIS Website to Use Centralized Certificates

Now for using the certificate in the Centralized Certificate Store in the bindings of an IIS website. Populate the Host name and then place a check next to Use Centralized Certificate Store . You don’t have to use the Require Server Name Indication option, however, the two are compatible for use together.

Edit-IIS-Site-binding-to-use-Centralized-Certificate-Store

Security Best Practices of Centralized Certificate Store

Don’t forget about security with CCS. As noted by the Microsoft blog post , the following are security best practices for CCS:

  • At this time I am not aware of the ability to use Group Managed Service Accounts for this feature. I will update the blog if I find out that you can.
  • Bitlocker protect the volume that hosts the share for the certs. We introduced the ability to Bitlocker protect Cluster Shared Volumes in Windows Server 2012. The volume hosting the share holding your SSL certs might be a good candidate perhaps? J
  • Also note in the config dialog how the Private Key password is optional. This assumes that you did not use a password to protect the private key when you exported the certificate to place on the share. I can’t think of a reason as to why you would NOT want to use a private key password. So set a private key password and configure this option.

Wrapping Up

Share SSL Certificates Between Multiple IIS Servers with Centralized Certificates is a great way to lower the administrative burden of managing SSL certificates. Not only is the configuration of multiple servers much easier, there is also a slight performance advantage to CCS as well. The requirements are minimal and the binding for an IIS site is easy to activate for use with CCS.

Photo of Brandon Lee

Brandon Lee

Related articles.

mapdrivehost03

Map a network drive from remote desktop back to local computer

Windows server dhcp vlan scopes configured allocating ip addresses

Windows Server DHCP VLAN Configuration: Detailed Guide

Viewing-the-NTP-registry-values-that-are-configured-for-your-Windows-Server

Set NTP Server Windows 2016 or Windows 2019

freecommander03

Add GUI file explorer to Windows PE environment

Leave a reply cancel reply.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

  Windows OS Hub / Windows Server 2019 / How to Install an SSL Certificate on IIS (Windows Server)

How to Install an SSL Certificate on IIS (Windows Server)

Create a certificate signing request (csr) with iis on windows, how to install an ssl/tls certificate in windows iis, bind an ssl certificate to an iis website.

To create an SSL/TLS certificate from an external Certificate Authority (CA), you need to generate a Certificate Signing Request (CSR). You can create a CSR from within the IIS GUI:

  • Open the Internet Information Services Manager console ( InetMgr.exe );

IIS on Windows Server - generate Certificate Signing Request (CSR)

  • From the Actions menu on the right, select Create Certificate Request ;
  • Common Name – specify the FQDN of the site (webserver) your clients will connect to. For example: reports.woshub.com . If you want to create a wildcard certificate for a domain, please type in *.woshub.com
  • Organization – specify the name of your organization. For Organization Validation (OV) and Extended Validation (EV) certificates, please enter the official organization name. Individuals may use Domain Validation (DV) SSL certificates. In this case, you must provide the full name of the certificate owner;
  • Organizational unit – the internal name of the department within your organization that is responsible for the certificate;
  • City/locality
  • State/province
  • Country/region – two-letter country code.

Configure certificate distinguished name properties

  • Specify the name of the file to save the CSR request;

CSR request file

Submit your CSR file to the organization authorized to issue SSL certificates. If you are using an internal Microsoft-based Certificate Authority, please upload the CSR, sign the certificate, and then download the CER file.

Sign a CSR with Certificate Authority

Open the IIS Manager console, go to the Certificates section, and select Complete Certificate Request.

Complete Certificate Request wizard on IIS

What you need to do is to convert your CRT certificate to PFX format. The easiest way to do this is to use the openssl tool, which is available in any Linux distribution. You will need a certificate (*.crt) and a private key (*.key) file. To do the conversion, run the command below.

$ openssl pkcs12 -export -out target.pfx -inkey source.key -in source.crt

Once you have a certificate in a PFX format, you can have it imported through the Import menu. If you have a certificate file in PFX format, you can upload it to your Windows cert store via the Import menu.

  • Double-click your CRT file;

Copy certificate to file

  • Specify the path to save your CER certificate file.

Install certificate on Windows Server

Once that’s done, the new SSL certificate should appear in the list of available certificates in IIS.

Now you need to bind your certificate to the IIS website, port, and/or IP address. Locate your website in the IIS console, and select Edit Bindings .

IIS website - edit bindings

Click Add and fill in the following info:

  • Type: https
  • IP Address: select All Unassigned or a specific IP address to bind the SSL certificate to (you can run multiple websites on the same port and IP address of the IIS web server)
  • Port number: 443
  • Hostname: specify the name of the host the certificate was issued for
  • SSL Certificate: find and select the SSL certificate that you installed from the list

iis install ssl certificate

Try opening your IIS website in a browser using the https:// prefix. If the certificate is installed correctly, a green padlock will appear in the address bar of your browser. This means the connection is secure. Click the padlock icon to view information about the SSL certificate.

Check for secure HTTPS connection to IIS

Next, configure IIS rules to redirect all HTTP requests to the site to HTTPS URL addresses.

Managing Windows Firewall Rules with PowerShell

Add an additional domain controller to an existing ad domain, related reading, deploying microsoft office language packs, send telegram messages from a powershell script, enable all cpu cores on windows 10 and..., install windows terminal without the microsoft store, how to connect vpn before windows logon, leave a comment cancel reply.

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Current ye@r *

Leave this field empty

geocerts ssl

SSL Made Simple

Toll Free: 800-892-7095 Live Chat

GeoCerts Blog

How to install an SSL certificate on multiple servers

"How do I install my SSL certificate on more than one server?" We get asked this question a lot. 

Why would you need to install on multiple servers?

If you buy a wildcard SSL certificate you may want to use that certificate across multiple servers that share the same base domain. Or perhaps you purchase a multi-domain certificate , issued for many different domains, and you want to use it across multiple servers. 

There are generally two methods used to deploy a single SSL certificate across multiple servers: The Export/Import method and the Issue/Reissue method . We'll discuss both.

The Export/Import method

The Export/Import method is the easiest and most popular option, especially for Windows servers. Start with server 1 and then export the SSL keys from server 1 and import to server 2, server 3, and so on. With this method, you'll be using the exact same private key and SSL certificate on each server.

  • Install your SSL certificate on server 1.
  • Save your SSL keys from server 1 to a file.
  • Import the keys you saved from step 2 into server 3 and repeat for additional servers.

Installing an SSL certificate on multiple servers by the Export/Import e method

The Issue/Reissue method

The Issue/Reissue metho d is more complex and time-consuming, but it's also considered more secure and a best practice in distributing private keys across multiple servers. With this method you'll be using a unique private key and SSL certificate on each server. First, you issue a certificate for server 1 and the request free c certificate reissues for each additional server.

  • Install your SSL certificate as normal on server 1.
  • From server 2, generate a fresh private key and Certificate Signing Request (CSR).
  • Login to your GeoCerts CertCommand account, find the order, and submit the new CSR for a free reissue.
  • Complete any pending domain and/or organization validation steps required.
  • When the reissue is complete, download the certificate files from your account and install them on server 2. 
  • For each additional server, repeat steps 2 through 5 above. 

Installing an SSL certificate on multiple servers by the Issue/Reissue method

Which method should I use?

Picking the best method depends on the brand/type of servers you are working with. Are they all Windows servers? Are they all Java servers? Or are they a mix of different brands/types of servers? Below we have compiled our recommendations for the most popular servers and use cases.

Windows-to-Windows servers

Recommended method: Export/Import

For Windows servers, like IIS and Exchange, we recommend using the Export/Import method described above. Windows makes it super easy to backup your SSL keys to a Personal Information Exchange (PFX) archive. A PFX file is a single, password-protected certificate archive that contains the entire certificate chain plus the matching private key.  Essentially it is everything that any Windows server will need to import a certificate and private key from a single file.

  • Learn how to Export & import SSL certificates between Windows servers with a PFX file
  • Learn how to download a PFX file?

Java-to-Java servers

Recommended method: Export/Import 

Java-based servers, like Tomcat , use Java Keystores as a storage repository for public key SSL/TLS certificates and their corresponding private keys. A Keystore is created and managed using the keytool command . A Keystore does not contain any information which ties it to a specific system or server so it can be freely copied between servers as needed.

  • Learn how to generate a Jave Keystore, private key, and CSR
  • Learn how to install an SSL certificate into a Java Keystore

Apache-to-Apache & NGINX-to-NGINX servers

Recommended method: Issue/Reissue

Apache servers do not use a single repository file to store it's public key SSL/TLS certificates and their corresponding private keys. Rather Apache configuration files point to individual certificate and private key files. For this reason, we think it's just easier, and a best practice, to use the Issue/Reissue method rather than trying to copy certificate files from one server to another.

  • Learn how to generate a private key and CSR for Apache
  • Learn how to install an SSL certificate on Apache

Brand-X to Brand-Y servers

If you have a certificate and private key working on, say, a Windows server and you want to also use it on, maybe, a Java-based server like Tomcat, do not waste your time and frustrate yourself trying to convert a PFX certificate archive to a Java Keystore archive. Use the Issue/Reissue method instead. Generate a new private key and CSR from each type of server and submit for individual reissues.

How-To Geek

How to configure ssl certificates in iis for windows server.

SSL certificates are a crucial component of the modern web, as they are required for secure HTTPS traffic, protecting your users from attackers in the middle sniffing packets.

Quick Links

What is an ssl certificate and what does it do, begin by generating a certificate signing request, ordering the ssl and submitting your csr to the certificate authority, installing your ssl certificate on your web server, binding your ssl certificate to your website, testing your certificates and making sure you're secure.

SSL certificates are a crucial component of the modern web, as they are required for secure HTTPS traffic, protecting your users from attackers in the middle sniffing packets. We'll show how to request and configure them for Microsoft's IIS web server.

SSL certificates, which stands for Secure Socket Layer, protect and secure websites all over the world. You can tell when a website has an SSL certificate configured because the URL in the browser shows https:// instead of just http://.

When a website has SSL configured properly, it encrypts the data between the web server that hosts the website and your computer or mobile device. This prevents 3rd parties and hackers from intercepting the data and being able to steal your passwords and credit card information. If a website is taking credit cards or passwords from you, most of the time it will have a secure SSL connection, protecting you and your data.

This guide is for intermediate users who have a medium to strong grasp on technology but need help specifically installing a certificate in IIS (Internet Information Services) on Windows Server. This guide will walk you through the basic steps needed to get your URL secured with SSL and ready to encrypt connections.

The first thing you will need to do is generate a certificate signing request from your web server for your website. To do this, open IIS Manager (Internet Information Services) on your web server and navigate to Server Certificates.

On the right-hand side of IIS, select Create Certificate Request and enter in your company information. Anyone can get SSL for their website, so if you do not have a company name, you can just use your legal name or entity. This information is needed to register the website with the SSL authority to try and prevent fraud and false SSL registration.

Please be aware that Common Name should be www.yourdomain.com instead of just yourdomain.com. If the www is not included in this section, you will only be able to secure yourdomain.com and not www.yourdomain.com. If the www is included, you are able to secure both.

Once you have filled out this section, click Next to move on.

On the following page, select your Bit Length for encryption, usually 2048, click Next and save your CSR on your desktop as yourdomain.csr.txt as we will be providing this data to a certificate issuer at the next step, so keep it handy!

Navigate to your desired certificate authority's website and begin your SSL order. Many organizations use services like DigiCert, Global Sign, Namecheap, or Verisign to order their certificates and secure their domains. There is also LetsEncrypt , which offers free certificates.

At this point, you will need to provide the contents of the CSR we generated in the last step. You can open this .csr.txt file in Notepad and copy out the CSR data. It will look something like this:

-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST-----

Copy the contents of your CSR to your order form as requested and follow the instructions on your SSL registrar's form. Once you complete your orde, download the .cer they provide to you and save it to your web server.

You are nearly ready to provide secure connections between visitors and your website!

On your server, go back to IIS and Server Certificates and select 'Complete Certificate Request' on the right hand side of IIS Manager.

Upload the new certificate file you just downloaded from the SSL issuer and keep the friendly name the same as your domain or yourdomain.com-01 for simplicity. You can leave the selected ceritficate store as the Personal store.

Now that you have you installed your SSL certificate to your sever, you must bind it to your website in order for it to take effect.

To bind it to a website, navigate to your website in IIS and select bindings on the right hand side.

You will need to add a new binding for Type: https, select your SSL certificate from the drop down which you labeled yourdomain.com or yourdomain.com-01. '

For hostname you will want to make it yourdomain.com. After you create this binding you will want to create a second binding for www.yourdomain.com as well so that both versions www and non-www versions of the URL are encrypted.

Select OK and your binding should take effect. Now if you want to access your website securely you can go to https://yourdomain.com to see if the SSL is installed correctly.

To make sure SSL is loading correctly for all users, go to an SSL Checker website like https://www.sslshopper.com/ssl-checker.html and enter your domain in the form field as https://yourdomain.com. If it works correctly, it will show you all green checks, otherwise it will tell you exactly what is wrong.

If only some of the content is appearing encrypted, you will need to update the URLs for things like images and scripts in your website's code to have the htttps:// URL instead of http://.

Try testing both www and non-www versions of your site for errors.

To force your website to load the secure URL (https) instead of http, you will need to create a redirect rule forcing http to redirect to https for this website.

You are now encrypting sensitive data between your users and your website! This makes your website more credible and safer for everyone on the internet. Thanks for doing your part!

installing ssl certificate on multiple iis servers

How to Install an SSL Certificate on IIS 10 & other versions

This guide will show you  how to install an SSL Certificate on the IIS Microsoft server . By the end of this guide, you’ll have a perfectly running SSL installation. We will also give you a few tips on where to buy and how to find the perfect SSL certificate for a Microsoft IIS server.

Table of contents

Generate a csr code, how to install an ssl certificate on iis 10, how to install an ssl certificate on iis 8 & 8.5, how to install an ssl certificate on iis 7, how to install an ssl certificate on iis 5 & 6, manually install the intermediate certificates, how to add root and intermediate certificates via mmc, test the ssl installation, where to buy an ssl certificate for the microsoft iis server.

installing ssl certificate on multiple iis servers

Before installing the certificate, you need to generate a CSR (Certificate Signing Request) for the IIS server.

You have two options:

  • Generate the CSR automatically using  our CSR Generator . Note : If you don’t generate the CSR in IIS, but via an external tool such as our CSR generator, you will need to convert the SSL certificate along with the private key to PFX format. Here is a guide with detailed instructions on  how to import and export a PFX file in IIS .
  • Follow our tutorial on  how to generate a CSR on IIS  manually.

Follow the steps below to configure your SSL certificate on IIS 10.

  • Download and extract the certificate file that you’ve received from the Certificate Authority. Look for the file with the . cer  extension and save it to your server’s directory
  • From your keyboard, press  Win  +  r  and type  inetmgr  and click  OK  to open to the Internet Services (IIS) Manager. You can also launch the IIS manager via Start > Administrative Tools > Internet Information Services (IIS) Manager
  • On the left, you will find the  Connections  section. Select the server and double-click the  Server Certificates  icon from the Home page
  • On the right, locate the  Actions  section and select  Complete Certificate Request
  • File name containing the certification authority’s response  – locate and indicate the  .cer  file that you received from the Certificate authority
  • Friendly Name  – type your domain name, or any other easy-to-remember name
  • Select a certificate store for the new certificate  – Personal. Click  OK
  • Now you have to assign your certificate to your website. Go back to the  Connections  menu and expand the  Sites  folder. Select the site you want to protect
  • Next, locate and click the  Bindings  option. You’ll find it in the  Actions  section, under the  Edit Site
  • In the next window click  Add
  • Type  – HTTPS
  • IP address  – All Unassigned, or your IP address
  • Port  – 443
  • SSL certificate  – the friendly name of the imported certificate If you plan to add multiple SSL Certificates to the same server, check the  Require Server Name Indication  box. Click  OK  and  Close.
  • Click  Restart  under the  Manage Website

You’ve successfully installed the SSL Certificate on IIS 10 server.

Note : If your SSL Certificate file extension is  *.crt  (PEM-encoded format), you may also need to import root and intermediate certificates to the server via Microsoft Management Control (MMC). For the *.cer and *p7b files (PKCS#7 format) you don’t need to perform additional actions.

After the CA validates and issues the SSL Certificate, complete the following steps:

  • Download and extract your SSL Certificate (.cer file) to your server directory
  • Go to  Start > Administrative Tools >   Internet Information Services (IIS) Manager  and open it
  • Locate your server in the left-side  Connections  menu and double-click the  Server Certificates  icon
  • Now, in the right  Actions  pane click on  Complete Certificate Request
  • The  Complete Certificate Request  window will open. Indicate the path to your .cer certificate file and add a  Friendly Name  (here you can type your domain, or an easy-to-remember name to avoid confusion with other requests). From the drop-down list, select  Personal  as your certificate store and click  OK
  • Go back to the  Connections  section and click to expand the  Sites  folder. Select the website you want to secure
  • Hover your mouse over the top-right  Actions  menu and select  Bindings
  • A new  Site Bindings  window will pop up. Click  Add
  • SSL certificate  – the friendly name of the imported certificate We recommend checking the  Require Server Name Indication  box as it allows multiple SSL installations on the same server. Click  OK  and  Close.
  • Under the  Manage Website  click  Restart

Congratulations, you’ve activated the HTTPS version for your website!

You can install the SSL certificate on the same machine where you’ve generated it, using the IIS manager. Please, follow the steps below:

  • Open and save the certificate (.cer) file that you received from the Certificate Authority on your server
  • Press  win  +  r , type  inetmgr ,and click ok to open the Internet Information Services Manager. You can also access it via  Start  menu  > Administrative Tools  >  Internet Information Services (IIS) Manager
  • Select the server in the right-side  Connections  menu and double-click the “ Server Certificates ” from the center menu
  • On the right side, inside  Actions  click the “ Complete Certificate Request ” option to open the  Complete certificate request wizard
  • In the wizard, on the  Specify Certificate Authority Response  window, locate the .cer file you received from the Certificate Authority; e.g.:  www_ssldragon_com.cer  and give it a friendly, easy-to-remember name. The friendly name helps distinguish this particular certificate from the other certificates on the server. Tip:  For easy identification specify the CA name and the expiration date at the end of your friendly name
  • Click  OK  to install the certificate Note:  If you receive the following errors: “ Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created ” or “ ASN1 bad tag value met ” when importing the certificate, don’t panic. This is a known issue in the IIS7 where the actual certificate is imported but doesn’t have a friendly name. Thankfully, Microsoft provides an easy fix. Close the error window and press F5 to refresh the list of server certificates.  Follow these instructions .
  • Now, you have to assign your certificate to the default website. Go to the left-side  Connections  menu and click on your webserver
  • Expand the  Sites  folder and select the website you want to secure with this certificate
  • Next, move to the right-side  Actions  menu and click on the  Bindings…  option under the  Edit  Site
  • In the new  Site Bindings  window, click  Add
  • SSL certificate  – the friendly name of the imported certificate

Congratulations! You’ve finally installed the SSL Certificate on the Microsoft IIS 7 server.

Once you’ve generated the CSR, you can install it on your server:

  • You will receive an archived zip folder from the Certificate Authority. Download and extract the  your_domain_name.cer  file on your server directory
  • Click the  Start  button and go to  Administrative Tools  under  All programs.  Open the Internet Services Manager
  • Right-click the website you want to secure (e.g. Default Web Site) and left-click on properties
  • Select the  Directory Security  tab and click on  Server Certificate
  • In the  ITS Certificate Wizard  select the first option  Process the pending request and install the certificate . Click  Next
  • Now, browse to the location of your SSL Certificate (. cert file) that you previously saved on your server’s directory. Click  Next
  • Double-check the summary screen and click  Next
  • Review the information once again then hit  Next , and finally  Finish
  • Restart your server now

Congratulations you have successfully installed the SSL Certificate on the Microsoft ISS server!

In some instances, you may need to manually install the intermediate certificates on IIS 5 & 6 and IIS 7. Follow the instructions below:

  •  Double-click the Intermediate certificate from your server’s desktop and click  Open .
  • In the Certificate window, select the  General  tab, click  Install Certificate …, then click  Next .
  • In the Certificate Import Wizard, select  Place all certificates in the following store …, then click  Browse .
  • Check the  Show Physical stores  box.
  • Next, expand the Intermediate Certification Authority folder.
  • Select  Local Computer , then click OK and Finish.
  • Restart the IIS server.
  • Press Win+r, type mmc in the run command, and press enter
  • In the Microsoft Management Console click the  File  button in the top-left corner and select  Add/Remove Snap-in
  • Click  Add  then double-click the  Certificates
  • Click  Add  and select the  Computer Account . Click  Next
  • In the “ Select Computer ” window, choose the first option  Local Computer , and press  Finish
  • Now close the Standalone Snap-in window and click  OK  in the ‘ Add/Remove Snap-in ‘ window
  • Back in the MMC, right-click on the  Intermediate Certificate Authorities  folder and go to  All Task  >  Import
  • Certificate  Import Wizard  will now open. Click  Next
  • In the following window, select the intermediate SSL certificate and click  Next . Wait for the Wizard to complete and click  Finish .

In the unlikely event that the root certificate is not pre-installed in Windows, repeat the last three steps (7 to 9) to complete the root certificate installation.

After the installation, it’s important to scan your SSL Certificate for potential errors and vulnerabilities. You can use one of these  SSL tools  to get instant reports on the state of your SSL.

SSL Dragon is your one-stop place for all your SSL needs. We’re partners with the most popular Certificate Authorities on the market and offer incredibly low prices across the entire range of SSL products.

All our certificates are compatible with the Microsoft IIS. Whether you want to secure a website or your email correspondence, we’ve got you covered.

You can find the perfect SSL Certificate for your project and budget with the help of our handy  SSL Wizard  and  Certificate Filter . The first tool offers a quick and highly-accurate way to determine the right SSL for you, while the latter lets you sort and compare various certificates by price, validation, and features.

If you find any inaccuracies or have details to add to these SSL installation instructions, please feel free to send us your feedback at  [email protected] . Your input would be greatly appreciated! Thank you.

Frequently Asked Questions

Navigate to  Start  >  Windows Administrative Tools  >  Internet Information Services (IIS) Manager . Click on the server name In the  Connections  panel. Double-click on  Server Certificates  to display certificates in the IIS Manager.

To renew your SSL certificate on IIS, you must install a new one following the same CSR generation and SSL installation steps. SSL certificates are valid for one year. So, when you renew your certificate, you buy a new one and install it again on your server.

Your certificate may not show up because it’s not the same cert you created a “ Certificate Request ” for. If you add a certificate that wasn’t requested in “ Server Certificates ”, it won’t display in the IIS binding window even if it does in the “ Server Certificates ” list.

Save 10% on SSL Certificates when ordering today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

installing ssl certificate on multiple iis servers

Experienced Content Writer specializing in SSL Certificates. Transforming intricate cybersecurity topics into clear, engaging content. Elevating digital security through impactful narratives.

How to Install SSL

installing ssl certificate on multiple iis servers

Microsoft Platforms

  • Microsoft Azure
  • Microsoft Exchange
  • Microsoft Forefront TMG
  • Microsoft IIS
  • Microsoft Office 365
  • Remote Desktop Services
  • How to Install an SSL Certificate
  • How to Generate a CSR
  • How to Fix SSL Errors
  • Switch from HTTP to HTTPS
  • Code Signing Tutorials

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Super User is a question and answer site for computer enthusiasts and power users. It only takes a minute to sign up.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How do I bulk change the SSL certificate on multiple sites in IIS using powershell?

I have a server with a dozen or so sites that each have HTTP and HTTPS bindings, with a couple of these sites sharing the same root domain, like so:

Now, the SSL certificate I use, * .contoso.com , is expiring next week, so I got a new one, imported it and it is now available to IIS. To replace the certificate for each binding using the old one I now have to go to each site, go to bindings, select the :443 binding and set it to use the new certificate. Not a big issue with just one site, but I have dozens of sites all running on this certificate!

How can I easily switch all the * .contoso.com sites from the old certificate to the new one using Powershell?

I have already looked into the documentation of the IISAdministration module but I haven't been successful in finding a method that allows me to change a binding so that it uses a different certificate, and google mostly gives me solutions that include the renewal of an certificate, something I've already handled using my certificate provider's website.

Contoso is a placeholder name and not a real company.

  • windows-server-2019

MMM's user avatar

2 Answers 2

The above script failed to work for me, is more complex, and requires installing additional server components to use. Instead, we can directly update the existing binding.

The below, modified, code is much more concise and reduces the chance of interruptions to live sites caused by attempting to remove bindings and re-add them.

Appleoddity's user avatar

This should do what you're looking for using the WebAdministration module instead. I'm not able to test it out at the moment, so definitely try it out on one binding first in case I typo'd something:

First, make sure you can get the new certificate. You can filter by FriendlyName/SubjectName/Thumbprint etc. Basically, make sure that this command only returns one certificate for you:

Then this script will recreate your SSL bindings using the new certificate. Try running each step manually first:

I originally based this on Terri Donahue's post here , which has a lot more detail and explanations about the process.

Cpt.Whale's user avatar

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged powershell ssl iis windows-server-2019 ..

  • The Overflow Blog
  • From prompt attacks to data leaks, LLMs offer new capabilities and new threats sponsored post
  • Featured on Meta
  • Seeking feedback on tag colors update
  • Update to our Advertising Guidelines

Hot Network Questions

  • Why is Jordan Belfort using a dwarf instead of darts to aim at the dartboard?
  • Find median value of two Sorted Arrays
  • LLPSI: Ch. 14, Ln. 38, "et oculōs aperiēns..."
  • What stops Powerline Ethernet from going to grid?
  • Can "teleportation" using the reassembly of atoms preserve consciousness and therefore identity?
  • Multiline Latex equation alignment
  • New Zealand infrastructure features
  • Do Dreamzzz sets include multiple builds?
  • How small can a spark-gap transmitter be made?
  • Can a person commit a racially/religiously aggravated or hate crime against their own group?
  • Developed an addiction. How can I block websites?
  • 8 bit computer with most colors?
  • Is there any modern Indo-European languages with synthetic passive form
  • How many dimensions does time have?
  • On martingale convergence
  • Can you self-direct a 401k to buy you a house?
  • First time seeing this odd little PCB inside a Playstation 2; What is it for?
  • How did the Colorado Supreme Court justify extending Section 3 of 14th amendment to the presidency? How did the minority opinion argue against this?
  • Dynamic Name System architecture
  • Can I use two ethernet card to increase transfer speed between two linux OS in lan?
  • About the nominative on "dimitte nobis debita nostra"
  • Book about person using logic to leave our world and enter enter magical one
  • Is there a concept in D&D where you can assume a 20 on a roll because you can retry as much as you want?
  • Why are Ph.Ds without publications seen as questionable? Does this also apply to Ph.Ds who don't secure external grants and/or fellowships?

installing ssl certificate on multiple iis servers

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy .

  • DigiCert product docs
  • CertCentral
  • Zertifikat-Tools
  • Anleitungen zur Zertifikatslaufzeit
  • CertCentral managed automation

Get multiple TLS/SSL certificates using SNI automation

Server Name Indication (SNI) allows the web servers and network appliances to safely host multiple TLS/SSL certificates for multiple sites, all under a single IP address and port number. Instead of requiring a different IP address for each SSL site, you can use SNI to install and configure multiple SSL sites to one IP address.

Load balancers with support for SNI automation

Amazon CloudFront

Amazon Elastic Load Balancer (ALB and NLB)

F5 BIG-IP LTM

Web servers with support for SNI automation

Microsoft IIS

SNI certificate automation can only happen on HTTPS bindings. To request additional certificates for an IP address/domain, you must have a TLS/SSL certificate installed on the IP/port of the sever or appliance.

Before you begin

For automation using Microsoft IIS server

Enable PowerShell on your machine.

If you do not have an HTTPS binding on your server, configure the IP address of the default HTTP binding for this port as  All unassigned  on the server.

If you have an HTTPS SNI binding on your server, configure the HTTPS SNI binding with the specific IP address and port on the server.

Create an automation event for SNI domains

In your CertCentral account, in the left main menu, go to  Automation > Automated IPs .

On the  Automated IPs  page, find the common name for the IP/port for which you want an additional certificate.

In the  Action  column, select  Add SNI.

On the automation request page, enter the common name and server name that you want the certificate to secure based on the automation location.

Microsoft IIS server

In the Common name field, enter the SNI domain name which you want to secure. The common name will be used as the server’s SNI domain name

Amazon CloudFront, ALB, NLB, Citrix, and F5 BIG-IP LTM load balancers

In the Common name field, enter the SNI domain name you want to secure.

(Optional) Select  Make this the default site  to set this site as the default site for all automation requests regardless of the load balancers.

You can only assign one site as a default. If a default site already exists, it does not replace your previous selection. This means that the certificate issued will only protect this specific domain you have entered.

A10 load balancers

In the  Common name  field, enter the SNI domain name you want to secure.

In the  Server name  field, enter the exact SNI domain name you want to secure when the common name is a wildcard domain. The server name must be unique and must not duplicate another server name. It has to be a valid FQDN.

You can only have one site as a default. If there is already a default site, it does not replace your previous selection. This means that the certificate issued will only protect this specific domain you have entered.

Provide the other required information and schedule the certificate automation.

What’s next

When the automation is complete, the certificate for the requested site will be issued and installed to the IP address and port.

Suchresultat

IIS 10: Create CSR and Install SSL Certificate

Creating a csr and installing your ssl certificate on your windows server 2016.

Manage every certificate in a single platform with DigiCert CertCentral.

Use the instructions on this page to use IIS 10 to create your certificate signing request (CSR) and then to install your SSL certificate on your Windows server 2016.

To create your certificate signing request (CSR), see IIS 10: How to Create Your CSR on Windows Server 2016 .

To install your SSL certificate, see IIS 10: How to Install and Configure Your SSL Certificate on Windows Server 2016 .

If you are looking for a simpler way to create CSRs, and install and manage your SSL Certificates, we recommend using the DigiCert® Certificate Utility for Windows. You can use the DigiCert Utility to generate your CSR and install your SSL certificate. See  Windows Server 2016: Create CSR & Install SSL Certificate with DigiCert Utility .

1. IIS 10: How to Create Your CSR on Windows Server 2016

Using iis 10 to create your csr.

In the Windows start menu, type Internet Information Services (IIS) Manager and open it.

In Internet Information Services (IIS) Manager , in the Connections menu tree (left pane), locate and click the server name.

IIS 10 Create CSR

On the server name Home page (center pane), in the IIS section, double-click Server Certificates .

On the Server Certificates page (center pane), in the Actions menu (right pane), click the Create Certificate Request… link.

IIS 10 Create CSR

In the Request Certificate wizard, on the Distinguished Name Properties page, provide the information specified below and then click Next :

IIS 10 Add CSR Details

On the Cryptographic Service Provider Properties page, provide the information below and then click Next .

IIS 10 Add CSR Details

On the File Name page, under Specify a file name for the certificate request , click the … box to browse to a location where you want to save your CSR.

Note: Remember the filename that you choose and the location to which you save your csr.txt file. If you just enter a filename without browsing to a location, your CSR will end up in C:\Windows\System32.

IIS 10 Add CSR Details

When you are done, click Finish .

Use a text editor (such as Notepad) to open the file. Then, copy the text, including the  -----BEGIN NEW CERTIFICATE REQUEST-----  and  -----END NEW CERTIFICATE REQUEST-----  tags, and paste it into the DigiCert order form.

IIS 10 Add CSR Details

Ready to order your SSL certificate

After you receive your SSL certificate from DigiCert, you can install it.

2. IIS 10: How to Install and Configure Your SSL Certificate on Windows Server 2016

installing ssl certificate on multiple iis servers

If you have not yet created a CSR and ordered your certificate, see IIS 10: How to Create Your CSR Windows Server 2016 .

After we validate and issue your SSL certificate, you need to install it on the Windows 2016 server where the CSR was generated. Then, you need to configure the server to use it.

  • (Single Certificate) How to install and configure your SSL certificate
  • (Multiple Certificates) How to install and configure your SSL certificates using SNI

(Single Certificate) How to install your SSL certificate and configure the server to use it

Install SSL Certificate

On the server where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer ) that DigiCert sent to you.

IIS 10 Install SSL Certificate

On the Server Certificates page (center pane), in the Actions menu (right pane), click the Complete Certificate Request… link.

IIS 10 Install SSL Certificate

In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, do the following and then click OK :

IIS 10 Install SSL Certificate

Now that you've successfully installed your SSL certificate, you need to assign the certificate to the appropriate site.

Assign SSL Certificate

In Internet Information Services (IIS) Manager , in the Connections menu tree (left pane), expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to use the SSL certificate to secure.

IIS 10 Assign SSL Certificate

On the website Home page, in the Actions menu (right pane), under Edit Site , click the Bindings… link.

In the Site Bindings window, click Add .

IIS 10 Assign SSL Certificate

In the Add Site Bindings window, do the following and then click OK :

IIS 10 Assign SSL Certificate

Your SSL certificate is now installed, and the website configured to accept secure connections.

IIS 10 Assign SSL Certificate

(Multiple Certificates) How to install your SSL certificates and configure the server to use them using SNI

This instructions explains how to install multiple SSL certificates and assign them using SNI. The process is split into two parts as follows:

Installing and Configuring Your First SSL Certificate

Installing and Configuring All Additional Certificates

Install First SSL Certificate

Do this first set of instructions only once, for the first SSL certificate.

Your first SSL certificate is now installed, and the website configured to accept secure connections.

Install Additional SSL Certificates

To install and assign each additional SSL certificate, repeat the steps below, as needed.

IIS 10 Assign SSL Certificate

You have successfully installed another SSL certificate and configured the website to accept secure connections.

Test Installation

If your website is publicly accessible, our DigiCert® SSL Installation Diagnostic Tool can help you diagnose common problems.

Related Links

  • Certificate Utility Home
  • How to Renew an SSL Cert
  • Copy SSL Cert to Another Server
  • Create OpenSSL CSR

SSL Certificates

  • SSL Products
  • TLS Certificates
  • Code Signing Certificates
  • Wildcard SSL Certs

SSL Support

  • SSL For Enterprise
  • Unlimited SSL Cert Reissues
  • Tutorial SSL Certificates
  • Multiple Name SSL Certificate

DigiCert

Technical Support

1.800.896.7973 (Toll Free US and Canada) 1.801.701.9600 1.877.438.8776 (Sales Only)

Asia Pacific, Japan

+61.3.9674.5500

Europe, Middle East Africa

+44.203.788.7741

Account Login

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

How to Set Up SSL on IIS 7 or later

  • 7 contributors

by Saad Ladki

Introduction

The steps for configuring Secure Sockets Layer (SSL) for a site are the same in IIS 7 and above and IIS 6.0, and include the following:

  • Get an appropriate certificate.
  • Create an HTTPS binding on a site.
  • Test by making a request to the site.
  • Optionally configure SSL options, that is, by making SSL a requirement.

This document provides some basic information on SSL, then shows how to enable SSL in the following ways:

  • Using IIS Manager.
  • Using the AppCmd.exe command line tool.
  • Programmatically through Microsoft.Web.Administration.
  • Using WMI scripts.

This article contains the following sections:

SSL Configuration

Using appcmd.

  • Using IIS Manager

Whether you are running your web site on your own server, or in the cloud , using SSL to secure your site is probably extremely important to you, as many websites are turning to it to protect user's privacy. If you need to configure SSL on your server, it's important to realize that the implementation of SSL changed from IIS 6.0 to IIS 7 and above. In IIS 6.0 on Windows Server 2003, all SSL configuration was stored in the IIS metabase, and encryption/decryption occurred in User mode (requiring a lot of kernel/user mode transitions). In IIS 7 and above, HTTP.sys handles SSL encryption/decryption in kernel mode, resulting in up to 20% better performance for secure connections in IIS 7 and above than that experienced in IIS 6.0.

Using SSL in kernel mode requires storing SSL binding information in two places. First, the binding is stored in % windir %\System32\inetsrv\config\applicationHost.config for your site. When the site starts, IIS sends the binding to HTTP.sys, and HTTP.sys starts listening for requests on the specified IP:Port (this works for all bindings). Second, the SSL configuration associated with the binding is stored in the HTTP.sys configuration. Use the netsh command at a command prompt to view SSL binding configuration stored in HTTP.sys as in the following example:

When a client connects and initiates an SSL negotiation, HTTP.sys looks in its SSL configuration for the IP:Port pair to which the client connected. The HTTP.sys SSL configuration must include a certificate hash and the name of the certificate store before the SSL negotiation will succeed.

Troubleshooting Tip: If you're having trouble with an SSL binding, verify that the binding is configured in ApplicationHost.config, and that the HTTP.sys store contains a valid certificate hash and store name for the binding.

Choosing a Certificate

When choosing a certificate, consider the following: Do you want end users to be able to verify your server's identity with your certificate? If yes, then either create a certificate request and send that request to a known certificate authority (CA) such as VeriSign or GeoTrust, or obtain a certificate from an online CA in your intranet domain. There are three things that a browser usually verifies in a server certificate:

  • That the current date and time is within the "Valid from" and "Valid to" date range on the certificate.
  • That the certificate's "Common Name" (CN) matches the host header in the request. For example, if the client is making a request to https://www.contoso.com/ , then the CN must be www.contoso.com .
  • That the issuer of the certificate is a known and trusted CA.

If one or more of these checks fails, the browser prompts the user with warnings. If you have an Internet site or an intranet site where your end users are not people you know personally, then you should always ensure that these three parameters are valid.

Self-signed certificates are certificates created on your computer. They're useful in environments where it's not important for an end user to trust your server, such as a test environment.

You cannot request or create a certificate by using AppCmd.exe. You also cannot use AppCmd.exe to create an SSL binding.

Configure SSL Settings

You can use AppCmd.exe to configure a site to accept only server HTTPS connections by modifying the sslFlags attribute in the Access section. For example, you can configure this setting for the "Default Web Site" in the ApplicationHost.config file (for example, commitPath:APPHOST) by using the following command:

If successful, the following message is displayed:

To require 128-bit SSL, change the sslFlags value to Ssl128 .

The following example demonstrates how to view the <access/> section settings for the Default Web Site. The sslFlags attribute has been set successfully.

Executing the command results in the following entry in the ApplicationHost.config file:

You cannot request or create a certificate by using the WebAdministration WMI namespace.

Create an SSL Binding

The following script demonstrates how to create a new SSL binding and how to add the appropriate configuration for both HTTP.sys and IIS:

The certificate hash and store must reference a real, functional certificate on your server. If the certificate hash and/or store name are bogus, an error is returned.

The following script demonstrates how to set SSL settings by using the IIS WMI provider. You can find this value in the IIS_Schema.xml file.

IIS Manager

Obtain a certificate.

Screenshot of the ALEXIS E 3 L H server node Home with Server Certificates selected.

Enter a friendly name for the new certificate and click OK .

Now you have a self-signed certificate. The certificate is marked for "Server Authentication" use; that is, it uses as a server-side certificate for HTTP SSL encryption and for authenticating the identity of the server.

Select a site in the tree view and click Bindings... in the Actions pane. This brings up the bindings editor that lets you create, edit, and delete bindings for your Web site. Click Add... to add your new SSL binding to the site.

Screenshot of the Site Bindings dialog with one the default site binding.

The default settings for a new binding are set to HTTP on port 80. Select https in the Type drop-down list. Select the self-signed certificate you created in the previous section from the SSL Certificate drop-down list and then click OK .

Screenshot of the Add Site Binding dialog with Type set to H T T P S and S S L certificate set to Test certificate.

Verify the SSL Binding

Screenshot of the Browse Web Site section of the Actions pane with Browse asterisk colon 443 or H T T P S emphasized.

Configure SSL settings if you want your site to require SSL, or to interact in a specific way with client certificates. Click the site node in the tree view to go back to the site's home page. Double-click the SSL Settings feature in the middle pane.

Screenshot of the S S L Settings pane requiring S S L and ignoring Client certificates.

In this walkthrough, we successfully used the command-line tool AppCmd.exe, the scripting provider WMI, and IIS Manager to set up SSL on IIS.

Was this page helpful?

Submit and view feedback for

Additional resources

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

IIS multiple sites with separate SSL certificate for each - they all use the same one

Using IIS 10, I have 3 websites with 3 different hostnames, but the same IP address and port, and each of them has their own SSL certificate.

In the bindings I can see that each has the correct certificate attached (When I click View I see it's the right details for each).

However when I go to the URL in the browser, it says the certificate is not trusted (Except for the 1 site whose this certificate belongs to him), and when I click to see the certificate information, I see they all use the same certificate even though each is bound to his own certificate in IIS.

I did tick the box saying "Require Server Name Indication", but still it uses only one certificate.

In my case where all websites use the same IP and port, is it possible to also use a different certificate?

In this case where I use the same IP and port for all websites - do I have to use a single certificate? Or I can somehow make it work now with separate certificates?

  • ssl-certificate

pileup's user avatar

  • 2 The question is which browser you were using. If the browser does not follow SNI to send host name in SSL handshake, then the certificate from IP based binding will be used instead of from SNI based bindings, docs.jexusmanager.com/tutorials/… You might stop serving such non-SNI browsers, as they are usually legacy ones with lots of other issues. –  Lex Li May 24 at 19:54
  • It's from Google Chrome/Edge, could there be an issue with the certificate? Because I also did a mistake in the post. It's not different domains, it's same domain with different sub domains: web1.example.com , web2.example.com , web3.example.com . in this case do I need to use the same certificate? –  pileup May 25 at 7:27
  • 2 Subdomains require their own SNI mappings to register in Windows HTTP API. If you don’t have those yet, the problem is then expected. Chrome/Edge started to support SNI years ago, so it is not likely to be a browser side issue. –  Lex Li May 25 at 14:22
  • Thank you, and is it something I can fix when I have 3 separate certificates? Or I am going to have to combine them into 1 with all the subdomains? –  pileup May 25 at 15:04
  • 1 @AndyD273 the solution was to use a single certificate that holds all the needed hostnames –  pileup Aug 26 at 8:13

This isn't really the solution to OPs problem, it's the solution to my problem, which happens to sound exactly like the problem that OP was having. I'm including it here in case some time down the road someone else has the same problem, and they might be able to use this information to solve it.

We have an IIS server set up with 5 web sites. 3 of them have the same wildcard certificate ( www.website1.com , sales.website1.com, dev.website1.com), and the other two have their own single site certificates.

But what was happening was that all 5 sites were getting assigned with the wildcard certificate for website1.com

What we had to do to solve the problem was to set the HTTPS binding on all 5 sites to IP address: All Unassigned, Port 443 And then make sure that Require Server Name Indication was checked and the correct certificate was selected for each site.

enter image description here

  • Hi Andy, you mean "IP address" is local ip or the public ip? –  Kerwin Sep 15 at 5:58
  • @Kerwin I added a screenshot to show you what I mean. Obviously host name is the name of the website, like website.com or www.website.com and the SSL certificate is your signing certificate for that website. We didn't have to do it this way when we were running windows server 2012 and IIS 8, but once we upgraded to windows server 2019 and IIS 10 it was the only way to make it work. –  AndyD273 Oct 6 at 13:15

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged iis ssl-certificate iis-10 ..

  • The Overflow Blog
  • From prompt attacks to data leaks, LLMs offer new capabilities and new threats sponsored post
  • Featured on Meta
  • Seeking feedback on tag colors update
  • Update to our Advertising Guidelines

Hot Network Questions

  • Developed an addiction. How can I block websites?
  • How small can a spark-gap transmitter be made?
  • Format Datetime in 30-Hour Clock Time
  • Would rebar be necessary for ~3-4in of concrete used to raise a graded garage floor to existing slab height?
  • Truncated fixed point and regularity structures
  • Are there legal consequences for voting in opposing party's presidential primary?
  • What was this story? A boy has fire powers, gets sent to a school where he becomes emotionally linked to a horse?
  • What are the negative results of SETI?
  • Where can I find the story? A traffic jam is so large the government eventually dumps concrete over it to make new road
  • \message: add symbol in front of new lines even if there is a line break
  • You are carrying your child behind you on a motorbike. Is it correct for you to say "don't let go of me" or "don't let go of yourself"?
  • What is the verb for first-authorship?
  • Send arbitrary number of arbitrary length buffers in packets of fixed arbitrary size
  • Throttle is to slow down, but full throttle is max speed?
  • Can a person plead guilty without being charged?
  • Is there any modern Indo-European languages with synthetic passive form
  • Split string in characters and merge with formatting
  • On martingale convergence
  • What are "monochromatic" retrograde analysis problems?
  • Dynamic Name System architecture
  • Le Pen's gesture as immigration bill passed
  • Why is Jordan Belfort using a dwarf instead of darts to aim at the dartboard?
  • Can you self-direct a 401k to buy you a house?
  • Why does Kipling use an apostrophe on 'rickshaw?

installing ssl certificate on multiple iis servers

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy .

U.S. Flag

Install SSL Certificates in a Windows Server

SSL Certificates secure the web today using Transport Layer Security (TLS). This is a network protocol which encrypts the data between the web server and the visitor. Most websites today are using SSL, and you can see this every time a website starts with https:// instead of http://. This indicates the website is securely encrypting data between you and the server so that no attackers can easily sniff the network packets and capture your logins.

SSL protects the web today and is utilized by almost every corporation and business and acts first step in user security. SSL is a way to protect logins and forms that you enter from being intercepted unknowingly by a 3rd party on your network.  If your website does not incorporate SSL, we suggest implementing it as soon as possible, and you can use our guide to do it!

Generating the Certificate Request (CSR)

Before ordering your SSL, you will need to create a certificate request for the certificate authority to issue an SSL.

Step 1: To begin, the first thing you need to do is open IIS. If you do not have a shortcut for it, you can search your computer for inetmgr.exe and open it that way. From here you will click on your server name:

open iis

Step 2: Then double-click “ Server Certificates “.

create server certificate

On the right-hand side, select ‘ Create Certificate Request ‘

Create Certificate Request

At this point, you will be asked for information about the certificate and the company requesting the certificate.

information about the SSL certificate

Once you have filled this out, click Next .

It will bring you to the following screen:

cryptographic server provider properties

Step 4: We suggest using the settings above, making sure the Bit Length is set to 2048 or higher. We like to go with 4096 and click Next .  On the subsequent screen, you need to specify a filename where your Certificate Request or CSR can be exported. For simplicity, we would like to export the CSR to C:\example.com.csr.txt

Ordering the SSL

At this point, you are ready to order your SSL certificate!

Step 1: Go ahead and go to your chosen SSL provider, whether it be GlobalSign, Liquid Web , or any numerous other certificate authorities.

Step 2: When you are signing up for the SSL, it will ask you for the CSR data we saved at C:\example.com.csr.txt – Copy and paste the contents into the certificate authorities website, and it will generate all the same fields we entered via the previous steps.

Step 3: Finish your order, and they will provide you with a .crt certificate file. Download this file and copy it to your web server. For simplicity, copy it to C:\example.com.cer

Great! Now you have created a certificate request and completed it with the certificate authority and have your new SSL certificate ready to be installed.

Installing the Certificate in IIS

Step 1: Open up IIS/inetmgr.exe and navigate to the server as we did in the beginning.

Step 2: Navigate to Server Certificates . Now, instead of selecting ‘Create Certificate Request’ you will select ‘ Complete Certificate Request ‘

Step 3: It will prompt you for the location of the new certificate, which we saved at C:\example.com.cer and to make things easier on ourselves later, we will name the friendly name example.com-01 so that we know this is the first SSL for this domain in case we want to renew it later.  Once you hit OK , you should see your certificate in the list of server certificates in IIS.

Great! Now you have generated the certificate request, completed it, and installed your certificate on your web server. Now you need to bind the certificate to your website.

Binding the SSL Certificate to a Website

Step 1: In IIS, browse to Sites > example . com (where you want the SSL certificate installed).

Step 2: Right-click on your site and select ‘ Edit Bindings ‘ or if you click on the site, you will see Bindings on the right-hand side.

This will open a window that looks like the following:

site binding for the ssl

Step 3: If you already have the https binding setup for your site, you will simply double-click on the https bindings and select the desired SSL certificate from the drop-down. If you haven’t created a https entry in your bindings, click Add . On the right-hand side and you will see the following window:

add SSL site bindings

Step 4: First, set the Type to https so your website knows the request is for a secured URL.

You will want to set the IP Address on your host. In my case, All Unassigned . Port should be automatically set to 443 , if not, do so. (This is the port defined for secured communications.)

Step 5: Set the Host Name to example.com (your domain). In most cases, you will want to check Require Server Name Indication . In our case, we do not need it because this is the only certificate on this IP address. Select your SSL certificate from the drop-down!

Select OK and do it all again, this time instead of setting the hostname to example.com , you will want to set it to www . example.com. This is because we only set it up for requests from https://example.com, but https:// www .example won’t register as secured until we add the second binding entry.

Testing Your New SSL

First, you will want to access your domain at https://example.com and https://www.example.com to see if there are any errors. An easy way to tell if the certificate is functioning properly is to input your domain into SSL Shopper . Try it with and without the “www” to confirm both work. If everything is working, you should see several green checks and no errors. The certificate expiration date will be at least one year from the day you ordered the SSL originally.

That’s it! You have successfully installed a brand new SSL for your website that works both with www and without it. Congratulations! Now you can follow these steps to secure all of your websites and applications.

Liquid Web makes it easy to purchase new SSL’s. Simply log in to manage.liquidweb.com , clicking Add , and select SSL Certificate .  Here you can simply input the CSR you generated in Step 1, and it will order an SSL and give you back the certificate file needed to complete the installation.

If you have a Managed Windows VPS server at Liquid Web , we can help you through this process and diagnose any issues you may have run into. We also assist with SSL on Self-Managed if they buy the SSL from Liquid Web.

Related Articles:

Use ChatGPT to diagnose and resolve server issues

  • Why is your IP blocked?
  • What is xmlrpc.php and Why Disable It?
  • Underlying Causes and Fixes for “Too Many Redirects” Error
  • How to Disable MySQL Strict Mode in Linux and Windows
  • How To Flush Your Local DNS Cache

Avatar for Mike Sherman

About the Author: Mike Sherman

Mike Sherman was formerly one of our Helpful Humans at Liquid Web and worked on the Windows Enterprise Department. He has over 10 years of technology experience and a wealth of SEO and online marketing knowledge. He now supports IT infrastructures for mid-range companies as a Mid-West MSP.

Refer a Friend

Join our mailing list to receive news, tips, strategies, and inspiration you need to grow your business

Get 33% off the first 3 months on a new VPS!

Our Sales and Support teams are available 24 hours by phone or e-mail to assist.

Latest Articles

Guide to the smartctl utility in smartmontools for Linux

Artificial intelligence (AI) for beginners — what is AI?

What is SDDC VMware?

Best authentication practices for email senders

  • Search Search for:
  • MS SQL Server
  • Classic ASP

CertificationsKart.com

How to Configure Multiple SSL on single IP in IIS

installing ssl certificate on multiple iis servers

Yes it is now possible to host multiple SSLs on a Single IP with help of SNI.

What is SNI?

Server Name Indication (SNI) is designed to solve this problem. SNI is an extension for the TLS protocol (formerly known as the SSL protocol), which is used in HTTPS. It’s included in the TLS/SSL handshake process in order to ensure that client devices are able to see the correct SSL certificate for the website they are trying to reach. The extension makes it possible to specify the hostname, or domain name, of the website during the TLS handshake, instead of when the HTTP connection opens after the handshake.

More simply put, SNI makes it possible for a user device to open a secure connection with https://www.example.com even if that website is hosted in the same place (same IP address) as https://www.something.com, https://www.another-website.com, and https://www.example.io. For more read https://www.cloudflare.com/learning/ssl/what-is-sni/

Now here is how to configure SSL on single IP.

Open IIS Select your Websites under Sites in Left Panel. Select Bindings under Actions Tab in Right Panel. Click Add Button and choose option as follows

Under IP address you can choose Public IP or choose All unassigned.

installing ssl certificate on multiple iis servers

Check Require Server Name Indication.

If you don’t select this option following error might appear and when server restarts or IIS restart some application might not not have SSL.

installing ssl certificate on multiple iis servers

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

installing ssl certificate on multiple iis servers

IMAGES

  1. How to install SSL certificate from IIS

    installing ssl certificate on multiple iis servers

  2. SSL-Padlock

    installing ssl certificate on multiple iis servers

  3. How to install SSL certificate from IIS

    installing ssl certificate on multiple iis servers

  4. SSL Certificate Installation with Microsoft IIS 10

    installing ssl certificate on multiple iis servers

  5. How to install an SSL certificate on multiple servers

    installing ssl certificate on multiple iis servers

  6. How to Install an SSL/TLS Certificate In Microsoft IIS 8

    installing ssl certificate on multiple iis servers

VIDEO

  1. 59 Microsoft Windows Server 2019

  2. SSLS.com Easy Windows IIS Certificate Install

  3. Wildcard SSL certificate on Multiple IIS Server

  4. How Settup SSL in IIS Server Manager#pemograman #ssl #pemograman #pemograman #windows #andriyanto

  5. 58 Microsoft Windows Server 2019

  6. How to Install SSL Certificate in Hostinger in Hindi

COMMENTS

  1. iis

    My current process at the end of every certificate validity period is to purchase a new (renew) cert and complete the CSR from my in-house management box, then export the cert in .pfx format, and install it manually on each server in the Personal store. On web servers ( IIS) I modify the bindings manually as well.

  2. Set up SSL on multiple web sites

    01/24/2022 3 contributors Feedback In this article Summary More information This article describes that how to set up Secure Sockets Layer (SSL) on multiple web sites in Microsoft Internet Information Services (IIS) with shared configuration. Original product version: Internet Information Services 7.0, 7.5 Original KB number: 2548832 Summary

  3. iis

    Launch IIS Manager. Click Start, Control Panel, Administrative Tools, and then select Internet Information Services (IIS) Manager. 2. Select your server name. In the left Connections menu, select the server name (host) where you want to install the certificate. 3. Navigate to the Security section.

  4. Can you install multiple SSL certificates on IIS?

    1 Binding the certificate to each website will not work. You just need to follow these instructions: http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html to install the certificate to all the sites listed in the certificate (all on the same IP address). Share Improve this answer Follow answered Nov 3, 2010 at 15:48 Robert 1,575 7 7

  5. Share SSL Certificates Between Multiple IIS Servers with Centralized

    When the certificate comes up again for renewal, the same process has to be repeated across the board to import and install the new renewed certificate for the IIS website on each server. Centralized Certificate Store, again, helps to resolve this issue. ... Share SSL Certificates Between Multiple IIS Servers with Centralized Certificates.

  6. How to Install an SSL Certificate on IIS (Windows Server)

    Open the Internet Information Services Manager console ( InetMgr.exe ); Select your Windows host and go to the Server Certificates section; From the Actions menu on the right, select Create Certificate Request; Fill in the certificate information =: Common Name - specify the FQDN of the site (webserver) your clients will connect to.

  7. How to Install Wildcard SSL Certificate on Multiple Servers

    Go to Administrative Tools > Internet Information Services (IIS) Manager. Select the correct server name and then click on Server Certificates > Complete Certificate Request. Now provide the location of the certificate file. Linux Platform: Generate the CSR via the OpenSSL command line.

  8. How to install an SSL certificate on multiple servers

    Start with server 1 and then export the SSL keys from server 1 and import to server 2, server 3, and so on. With this method, you'll be using the exact same private key and SSL certificate on each server. Install your SSL certificate on server 1. Save your SSL keys from server 1 to a file. Import the keys you saved from step 2 into server 3 and ...

  9. How To Configure SSL Certificates in IIS for Windows Server

    To do this, open IIS Manager (Internet Information Services) on your web server and navigate to Server Certificates. On the right-hand side of IIS, select Create Certificate Request and enter in your company information. Anyone can get SSL for their website, so if you do not have a company name, you can just use your legal name or entity.

  10. How to Install an SSL Certificate on IIS 10 & other versions

    Generate a CSR code Before installing the certificate, you need to generate a CSR (Certificate Signing Request) for the IIS server. You have two options: Generate the CSR automatically using our CSR Generator.

  11. How do I bulk change the SSL certificate on multiple sites in IIS using

    Now, the SSL certificate I use, *.contoso.com, is expiring next week, so I got a new one, imported it and it is now available to IIS. To replace the certificate for each binding using the old one I now have to go to each site, go to bindings, select the :443 binding and set it to use the new certificate. Not a big issue with just one site, but ...

  12. Get multiple TLS/SSL certificates using SNI automation

    In your CertCentral account, in the left main menu, go to Automation > Automated IPs. On the Automated IPs page, find the common name for the IP/port for which you want an additional certificate. In the Action column, select Add SNI. On the automation request page, enter the common name and server name that you want the certificate to secure ...

  13. IIS: multiple certificates installation

    Generally, the best practice for IIS servers is to have *one* SSL certificate that can be considered as the default certificate on the server. All websites that use that default SSL should have the Require Server Name Indication box unchecked.

  14. How To Install SSL Certificate on IIS Web Server

    Step 1: Add the Certificate to MMC Hit Windows key and search for " Run " app or you can just use a combination of Windows + R to open the same " Run " app. It will appear at the bottom left corner of your screen. Once the App is open, type in " MMC " and hit enter. This will open the MMC Console. Step 2: Add a certificate to MMC

  15. IIS 10: CSR Creation & SSL Certificate Installation

    Using IIS 10 to Create Your CSR. In the Windows start menu, type Internet Information Services (IIS) Manager and open it. In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), locate and click the server name. On the server name Home page (center pane), in the IIS section, double-click Server Certificates .

  16. How to install one SSL Certificate across multiple servers in IIS 8 on

    When your having multiple Windows servers which should use same SSL certificate, such as load balancing environment, switching hosting companies, wildcard or UC SSL certificates, you...

  17. How to Set Up SSL on IIS 7 or later

    Introduction SSL Configuration Using AppCmd Using WMI Show 2 more by Saad Ladki Introduction The steps for configuring Secure Sockets Layer (SSL) for a site are the same in IIS 7 and above and IIS 6.0, and include the following: Get an appropriate certificate. Create an HTTPS binding on a site. Test by making a request to the site.

  18. IIS multiple sites with separate SSL certificate for each

    1 Using IIS 10, I have 3 websites with 3 different hostnames, but the same IP address and port, and each of them has their own SSL certificate. In the bindings I can see that each has the correct certificate attached (When I click View I see it's the right details for each).

  19. Install SSL Certificates in a Windows Server

    Binding the SSL Certificate to a Website. Step 1: In IIS, browse to Sites > example. com (where you want the SSL certificate installed). Step 2: Right-click on your site and select ' Edit Bindings ' or if you click on the site, you will see Bindings on the right-hand side. This will open a window that looks like the following:

  20. Step-By-Step Procedure To Install An SSL Certificate On The IIS Server

    1. A valid SSL certificate. You can purchase one from a reputable Certificate Authority such as Symantec, GeoTrust, or Comodo. 2. The IIS 10 server was installed and configured. 3. Administrator access to the server. Once you have all of the prerequisites out of the way, follow these steps to install an SSL certificate on the IIS server:

  21. How to Configure Multiple SSL on single IP in IIS

    How to Configure Multiple SSL on single IP in IIS Mark December 7, 2020 0 Yes it is now possible to host multiple SSLs on a Single IP with help of SNI. What is SNI? Server Name Indication (SNI) is designed to solve this problem. SNI is an extension for the TLS protocol (formerly known as the SSL protocol), which is used in HTTPS.