• +1 3033561099
  • support@arosscloud.com

IIS 10: Moving an SSL Certificate to Another Server

2024-03-07 07:36:48

I. How to Export/Back Up Your SSL Certificate w/Private Key

  1. On the Windows server 2016 where the SSL certificate is installed, open the Console.

    In the Windows start menu, type mmc and open it.

  2. In the Console window, in the top menu, click File > Add/Remove Snap-in.

  3. In the Add or Remove Snap-ins window, in the Available snap-ins pane (left side), select Certificates and then click Add >.

  4. In the Certificate snap-in window, select Computer account and then click Next.

  5. In the Select Computer window, select Local computer: (the computer this console is running on), and then click Finish.

  6. In the Add or Remove Snap-ins window, click OK.

  7. In the Console window, in the Console Root pane (left side), expand Certificates (Local Computer), expand the folder that contains the certificate that you want to export/back up, and then, click the associated Certificates folder.

    Note: Your certificate should be in either the Personal or the Web Hosting folder.

  8. In the center pane, right-click on the certificate that you want to export/back up and then click All Tasks > Export.

  9. In the Certificate Export Wizard, on the Welcome to the Certificate Export Wizard page, click Next.

  10. On the Export Private Key page, select Yes, export the private key, and then, click Next.

  11. On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX) and then check Include all certificates in the certification path if possible.

    Warning: Do not select Delete the private key if the export is successful.

  12. On the Security page, do following one of the following options:

    Password:i. Check this box.
    Confirm password:ii. Then, create and confirm the password.

    Password Note:

    This password will be required when you import the certificate w/private key to your (different) Windows server 2016.


    Group or user namei. Check this box
    (recommended)ii. In the field below, select the Active Directory user or group account to which you want to assign

    access to the certificate w/private key.

    iii. Then, click Add.

    Export/Import Note:

    The server from which you export the certificate w/private key must be part of an AD domain.

    The server to which you import the certificate w/private key must be tied to an AD domain with a domain controller (DC).

  13. On the File to Export page, click Browse. In the Save As window, locate and select the certificate file that you want to export and then click Save. Finally, on the File to Export page, click Next.

    Make sure to note the filename and the location where you saved your file. If you only enter the filename without selecting a location, your file is saved to the following location: C:\Windows\System32.

  14. On the Completing the Certificate Export Wizard page, verify that the settings are correct and then, click Finish.

  15. You should receive "The export was successful" message.

    The SSL certificate w/private key .pfx file is now saved to the location that you selected.

 

II. How to Import the SSL Certificate w/Private Key .pfx File

If you have not yet exported the SSL certificate and its private key as a .pfx file from the server on which the certificate is installed, see How to Export/Back Up Your SSL Certificate w/Private Key.

  1. On the Windows server 2016 where you want to install the SSL certificate, open the Console.

    In the Windows start menu, type mmc and open it.

  2. In the Console window, in the top menu, click File > Add/Remove Snap-in.

  3. In the Add or Remove Snap-ins window, in the Available snap-ins pane (left side), select Certificates and then click Add >.

  4. In the Certificate snap-in window, select Computer account and then click Next.

  5. In the Select Computer window, select Local computer: (the computer this console is running on), and then click Finish.

  6. In the Add or Remove Snap-ins window, click OK.

  7. In the Console window, in the Console Root pane (left side), expand Certificates (Local Computer), right-click on the Web Hosting folder, and then click All Tasks > Import.

  8. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click Next.

  9. On the File to Import page, browse to and select the file that you want import and then, click Next.

    Notes: In the File Explorer window, in the file type drop-down, make sure to select All Files (*.*). By default, it is set to search for X.509 Certificate (*.cert;*.crt) file types only.

  10. On the Private key protection page, do the following:

    Password:Type the password that you created when the SSL certificate was exported.


    Mark this key asCheck this box so that you can back up or export the SSL certificate when needed.
    exportable.Note that a certificate without it's private key does not work.


    Include all extendedCheck this box.
    properties.

  11. On the Certificate Store page, do the following and then click Next:

    1. Select Place all certificates in the following store and click Browse.

    2. In the Select Certificate Store window, select Web Hosting and click OK.

  12. On the Completing the Certificate Import Wizard page, verify that the settings are correct and then, click Finish.

  13. You should receive "The import was successful" message.

    The SSL certificate w/private key .pfx file is now saved to the Web Hosting store (folder).

 

III. How to Configure Your Windows Server 2016 to Use the Imported SSL Certificate

After you've imported the SSL certificate to your Windows Server 2016, you must configure IIS 10 to use the newly imported certificate to secure your website.

  • (Single Certificate) How to configure the Windows server 2016 to use your SSL certificate

  • (Multiple Certificates) How to assign your SSL certificates and configure the server to use them using SNI

 

(Single Certificate) How to configure the Windows server 2016 to use your SSL certificate

If you have not imported all your SSL certificates, see How to Import the SSL Certificate w/Private Key .pfx File.

  1. On the Windows server 2016 where you imported your SSL certificate to, open Internet Information Services (IIS) Manager.

    In the Windows start menu, type Internet Information Services (IIS) Manager and open it.

  2. In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to use the SSL certificate to secure.

    IIS 10 Assign SSL Certificate

  3. On the website Home page, in the Actions menu (right pane), under Edit Site, click the Bindings… link.

  4. In the Site Bindings window, click Add.

    IIS 10 Assign SSL Certificate

  5. In the Add Site Bindings window, do the following and then click OK:

    Type:In the drop-down list, select https.


    IP address:In the drop-down list, select the IP address of the site or select All Unassigned.


    Port:Type port 443. The port over which traffic is secured by SSL is port 443.


    SSL certificate:In the drop-down list, select your new SSL certificate (e.g., yourdomain.com).

    IIS 10 Assign SSL Certificate

  6. Your SSL certificate is now installed, and the website configured to accept secure connections.

    IIS 10 Assign SSL Certificate

 

(Multiple Certificates) How to assign your SSL certificates and configure the server to use them using SNI

If you have not imported all your SSL certificates, see How to Import the SSL Certificate w/Private Key .pfx File.

This instruction explains how to assign multiple SSL certificates using SNI. The process is split into two parts as follows:

  • Assign the First SSL Certificate

  • Assign All Additional Certificates

 

Assign the First SSL Certificate

Do this first set of instructions only once, for the first SSL certificate.

  1. On the Windows Server 2016 where you imported your SSL certificate to, open Internet Information Services (IIS) Manager.

    In the Windows start menu, type Internet Information Services (IIS) Manager and open it.

  2. In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to use the SSL certificate to secure.

    IIS 10 Assign SSL Certificate

  3. On the website Home page, in the Actions menu (right pane), under Edit Site, click the Bindings… link.

  4. In the Site Bindings window, click Add.

    IIS 10 Assign SSL Certificate

  5. In the Add Site Bindings window, do the following and then click OK:

    Type:In the drop-down list, select https.


    IP address:In the drop-down list, select the IP address of the site or select All Unassigned.


    Port:Type port 443. The port over which traffic is secure by SSL is port 443.


    SSL certificate:In the drop-down list, select your new SSL certificate (e.g., yourdomain.com).

    IIS 10 Assign SSL Certificate

  6. Your first SSL certificate is now assigned, and the website configured to accept secure connections.

 

Assign All Additional SSL Certificates

To assign each additional SSL certificate, repeat the steps below, as needed.

  1. In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to use the SSL certificate to secure.

    IIS 10 Assign SSL Certificate

  2. On the website Home page, in the Actions menu (right pane), under Edit Site, click the Bindings… link.

  3. In the Site Bindings window, click Add.

    IIS 10 Assign SSL Certificate

  4. In the Add Site Bindings window, do the following and then click OK:

    Type:In the drop-down list, select https.


    IP address:In the drop-down list, select the IP address of the site or select All Unassigned.


    Port:Type port 443. The port over which traffic is secure by SSL is port 443.


    Host name:Type the host name that you want to secure.


    Require ServerAfter you enter the host name, check this box.
    Name Indication:This is required for all additional certificates/sites, after you've installed the first certificate and secured the primary site.


    SSL certificate:In the drop-down list, select an additional SSL certificate (e.g., yourdomain2.com).

    IIS 10 Assign SSL Certificate

  5. You have successfully assigned another SSL certificate and configured the website to accept secure connections.