Installing a Certificate on IIS Servers

Last updated: 2020-10-30 15:30:13

    Scenarios

    This document describes how to install an SSL certificate on an IIS server.

    Note:

    • This document uses the certificate name cloud.tencent.com as an example. For your purposes, please use the name used in your certificate.
    • This document takes Windows Server 2012 R2 as an example. The detailed steps may vary slightly depending on the operating system.
    • Before you install an SSL certificate, enable port 443 on the IIS server so that HTTPS can be enabled after the certificate is installed. For more information, see How do I enable port 443 for a server?.
    • To upload a SSL certificate to CVMs, see Copying Local Files to CVMs.

    Directions

    Certificate installation

    1. Download the certificate package for the domain name cloud.tencent.com from the SSL Certificate Service Console and decompress it to a local directory.
      After decompression, you can get the certificate files of the relevant types, including the IIS folder and CSR file:
      • Folder name: IIS
      • Folder content:
        • cloud.tencent.com.pfx: certificate file
        • keystorePass.txt: password file (If a private key password is set, there is no keystorePass.txt.)
      • CSR file content: cloud.tencent.com.csr file

        Note:

        The CSR file is uploaded by you or generated online by the system when you apply for the certificate and is provided to the CA. It is not relevant to installation.

    2. Open the IIS Manager, select the computer name, and double-click Server Certificates to open it, as shown in the following figure.
    3. In the Actions column to the right of the Server Certificates window, click Import, as shown in the following figure.
    4. In the Import Certificate pop-up window, select the path where the certificate file is stored, enter the password, and click OK, as shown in the following figure.

      Note:

      • If you set a private key password when applying for the certificate, enter the private key password; otherwise, enter the password in the keystorePass.txt file in the IIS folder.
      • If you forgot the private key password, please submit a ticket to ask Tencent Cloud engineers to delete the certificate. You need to re-apply for the domain name certificate.


    5. Select the name of a site under Sites and click Site Bindings in the Actions column on the right, as shown in the following figure.

    6. In the Site Bindings pop-up window, click Add, as shown in the following figure.

    7. In the Add Site Binding window, set the site type to https, the port to 443, and the host name to the domain name corresponding to the certificate, specify the corresponding SSL certificate, and click OK, as shown in the following figure.

    8. Once you made the addition, the new content will be available to view in the Site Bindings window, as shown in the following figure.
    9. Access https://cloud.tencent.com .

    (Optional) Security configuration for automatic redirect from HTTP to HTTPS

    Note:

    • For normal redirect, edit the rule according to the following steps. If you have other needs, you can configure as needed.
    • During the redirect from HTTP to HTTPS, if your website element contains external links or uses HTTP protocol, it will cause the entire web page to not be completely based on HTTPS protocol. In this case, some browsers may issue security warnings such as "this link is insecure". You can view the reason for the error by clicking Details on message page.
    1. Open the IIS Manager.
    2. Select a site name under Sites, and double-click URL Rewrite, as shown in the following figure.

      Note:

      Download and install the URL Rewrite module before proceeding to the following steps.


    3. On the URL Rewrite page, click Add Rule(s) in the Actions column on the right, as shown in the following figure.

    4. In the Add Rule(s) pop-up window, select Blank rule and click OK, as shown in the following figure.

    5. Go to the Edit Inbound Rules page, as shown in the following figure.

    • Name: enter forced HTTPS.
    • Matching URL: enter (.*) in the Pattern text box.
    • Conditions: click to expand and click Add to pop up the Add Condition window.
      • Condition input: {HTTPS}.
      • Check if input string: select Matches the Pattern by default.
      • Pattern: enter ^OFF$.
    • Action: enter the following parameters.
      • Action Type: select Redirect.
      • Redirect URL: https://{HTTP_HOST}/{R:1}.
      • Redirect Type: select See Other (303).
        1. Click Apply in the Actions column to save the settings.
        2. Return to the Sites page and click Restart in the Manage Website column on the right. Then, the website can be accessed using http://cloud.tencent.com.

    Note:

    If you experience any issues with the steps outlined above, please contact us.