You are on page 1of 6

VeriSign - Knowledge Center - SSL Certificates Support Page 1 of 6

US Home (http://www.verisign.com/) > Support (http://www.verisign.com/support) > SSL Certificates (index?page=home) > Solution Details

Solution
How to install an SSL certificate for Microsoft IIS 7?

Solution ID: SO9071


Version: 19.0
Published: 05/12/2008
Updated: 11/17/2010

Problem
Install an SSL certificate for IIS 7

Resolution
This document provides instructions for installing SSL Certificates into IIS 7.0. If you are unable to use these instructions for your server, VeriSign
recommends that you contact Microsoft.

Download the certificate

Method 1:
VeriSign will send you the SSL certificate via email.

Using a plain text editor such as Notepad, paste the content of the certificate:

You should then have a text file that looks like:

-----BEGIN CERTIFICATE-----
[encoded data]
-----END CERTIFICATE-----

Make sure you have 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white space, extra line breaks or additional
characters have been inadvertently added.

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO9071&pmv=print&actp=PRINT 11/25/2010
VeriSign - Knowledge Center - SSL Certificates Support Page 2 of 6

Method 2:
Download the certificate from VeriSign Trust Center: SO8061 (index?page=content&actp=CROSSLINK&id=SO8061)
Download the certificate from Managed PKI for SSL subscriber services page: SO6621
(index?page=content&actp=CROSSLINK&id=SO6621)

Note:
If you install the certificate received by email, or if you download it from your VeriSign Trust Center account in pcks#7 format, save it with the
extension .txt or .p7b
If you install the certificate downloaded from your VeriSign Trust Center account in x.509 format, save it with the extension .txt or .cer and before
continuing with the installation of the certificate, install the intermediate following this link: SO8227 (index?page=content&actp=CROSSLINK&id=SO8227)

In IIS7, you need to install the certificate and then bind the HTTPS protocol to the site

Step 1: Install Certificate

1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager
2. From the left menu, click the corresponding server name
3. In the Features pane (middle pane), under Security, double-click Server Certificates
4. From the Actions pane (right pane), select Complete Certificate Request
5. Provide the location of the certificate file and the friendly name
Note: Friendly name is a reference name for quick identification of the certificate for the Administrator

>>At this point a known error may occur such as ASNI1 bad tag value met. 0X80009310b (ASN:267), yet the certificate may still install. To verify
this please try to bind the certificate using Step 2 below.

Additional information can be obtained regarding the error message from SO10035 (index?page=content&actp=CROSSLINK&id=SO10035)

Step 2: Binding certificate to the web site:

1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager
2. Browse to your server name > Sites > Your SSL-based site
3. From the Actions pane, choose Bindings
4. In the Site Bindings window, If there is no existing https binding, choose Add
Note: if there is already a https binding, select it and click Edit
5. From the Add Site Bindings window, provide the binding type
6. Select the SSL certificate that will be used for this site
7. Select the SSL certificate that will be used for this site
8. Click OK

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO9071&pmv=print&actp=PRINT 11/25/2010
VeriSign - Knowledge Center - SSL Certificates Support Page 3 of 6

Step 3: Locate and Disable the VeriSign Class 3 Public Primary Certification Authority - G5 Root CA certificate

1. Create a Certificate Snap-In in Microsoft Management Console (MMC). Please see the following solution for infomation on this: SO6127 (index?
page=content&actp=CROSSLINK&id=SO6127)

2. With the MMC and the Certificates snap-in open, expand the Trusted Root Certification Authorities folder on the left and select the Certificates
sub-folder.
3. Locate the following certificate:
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expiration Date: 7/16/2036
Serial Number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a

4. If this certificate is present, it must be disabled.


5. Right click the certificate
6. Select Properties
7. In the Certificate purposes section, select Disable all purposes for this certificate

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO9071&pmv=print&actp=PRINT 11/25/2010
VeriSign - Knowledge Center - SSL Certificates Support Page 4 of 6

8. Click the OK button


9. Close the MMC - there is no need to save console settings

Step 3: Verify certificate installation

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO9071&pmv=print&actp=PRINT 11/25/2010
VeriSign - Knowledge Center - SSL Certificates Support Page 5 of 6

1. Stop and start your Web server prior to any testing.


Note: In some cases the changes may not take place after restarting IIS Services and a re-boot is needed.
2. To verify the SSL certificate instalaltion, use the VeriSign Certificate Installation checker utility (index?page=content&actp=CROSSLINK&id=AR1130)

Additional Notes:

If you do not specify an IP address when installing your SSL Certificate, the same ID will be used for all virtual servers created on the system.

If you are hosting multiple sites on a single server, you can specify that the ID only be used for a particular server IP address

Microsoft Support

For more information, contact Microsoft (http://support.microsoft.com/) .

Disclaimer:
VeriSign, Inc. has made efforts to ensure the accuracy and completeness of the information in this document. However, VeriSign, Inc. makes no warranties
of any kind (whether express, implied or statutory) with respect to the information contained herein. VeriSign, Inc. assumes no liability to any party for any
loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document. Further, VeriSign, Inc.
assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the
products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to
make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property
right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission,
authority, or license secured from the patent, trademark, or service mark owner. VeriSign Inc. reserves the right to make changes to any information herein
without further notice.

Contact Us | Careers | Blogs | Legal Notices | Privacy | Repository | Worldwide Sites | Site Map | RSS | Feedback

Copyright ©1995- VeriSign, Inc. All rights reserved.


VeriSign, the VeriSign logo, the Checkmark Circle logo, and other trademarks, service marks, and designs are the registered or unregistered trademarks of
VeriSign, Inc. and its subsidiaries in the United States and internationally. All third party trademarks are property of their respective owners.

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO9071&pmv=print&actp=PRINT 11/25/2010
VeriSign - Knowledge Center - SSL Certificates Support Page 6 of 6

VeriSign (Nasdaq: VRSN) is the trusted provider of Internet infrastructure services for the networked world. Billions of times each day, VeriSign helps
companies and consumers all over the world engage in communications and commerce with confidence. VeriSign offerings include SSL, SSL Certificates,
Extended Validation (EV SSL), Trust Seal, two-factor authentication, identity protection, malware scan, public key infrastructure (PKI), DDoS mitigation
and Domain Name Services.

ABOUT SSL CERTIFICATES

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO9071&pmv=print&actp=PRINT 11/25/2010