You are on page 1of 10

Renewing Certificates-Automatically 1

1 2 3 4 5 6 7 8

Table of Contents

Table of Contents..........................................................................................1 Purpose........................................................................................................1 Overview......................................................................................................2 Pre-Creation Steps.........................................................................................2 4.1 Certificate Request Authorization...............................................................2 Generate Certificate.......................................................................................2 5.1 Create Certificate.....................................................................................2 5.2 Submit Request and Download Certificate...................................................6 Process Certificate Request ............................................................................6 6.1 Process Request.......................................................................................6 Install in IIS and Export.................................................................................8 7.1 Export PFX using IIS MMC.........................................................................8 Conclusion..................................................................................................10

2

Purpose

Also. Please be aware that as of 8-12-2010 all certificates issued through the SSLAdmin site have a bit strength of 2048 and are valid for 24 months.msn.exe Create the request text file on the server where it is needed using IIS. For example: If you have site authorization for *.test. To do this: The first task is to change an ActiveX security setting in Internet Explorer: . therefore Internet Explorer must be run as an administrator. 4 4.com. Be sure to include all subject alternative names if requesting a certificate containing them.1 Pre-Creation Steps Certificate Request Authorization Ensure that you are authorized to request certificates from http://ssladmin/ssladmin for all required domain names. 3 Overview There are now several different ways in which create and submit for a certificate request on the http://ssladmin/ssladmin.msn. • • • • Create the certificate request text file locally using IIS. Create the request and submit for the certificate using the new automated certificate request creation tool on http://ssladmin/ssladmin The automated certificate creation tool will not work at this time for creating a certificate with sans with only site authorization approval for a single all across site authorization.com you can only request a certificate using the automated certificate request creation tool for *. 5 5.The purpose of this document is to describe in detail the new certificate request creation functionality being provided on the http://ssladmin/ssladmin site. Create the certificate request text file using certreq.test.1 Generate Certificate Create Certificate Vista and Windows Server 2008 R2 require the user to be an administrator to complete this task. the Internet Explorer setting under Security labeled Initialize and script ActiveX controls not marked as safe for scripting must be set to Prompt for these steps to succeed.

click Tools --> Internet Options --> Security tab --> Local intranet icon (shown circled below) --> Custom level… button (shown circled below): 2. Click the Prompt radio button: .1. In Internet Explorer. Scroll down to the ActiveX controls and plug-ins section. and locate the Initialize and script ActiveX controls not marked as safe for scripting setting (shown highlighted below).

4. then click Yes when asked if you're sure you want to change the settings for this zone. Click the OK button. Click OK to close the Internet Options window. 5.3. Restart Internet Explorer (using Run as Administrator). Creating the request file: • • • • • • Click Start Click Run Click All Programs Right click Internet Explorer Click Run as Administrator Browse to http://ssladmin/ssladmin .

and bottom right a field for any needed Subject Alternative Names • Click the desired domain in the left box to highlight it. • list Click the Automated Certificate Creation link under Email Notification In the left box is a list of all domain names for which you are approved to request certificates. .• • Click on Certificates. on the top right a field for the Subject / Common Name for which you are requesting. 3rd button for an individual name or the 4th button th th Use the 5 or 6 button to remove the names. If you do not some sites will not work correctly. highlight the names you need and click either the for multiple names. Note: Certificate requests now require that a group or team distribution list be included in the notifications list for a successful submission. New Request Enter the alias of a distribution list and any additional aliases. • If you are creating a certificate with a SAN you need to always include the Subject name in the list of SAN’s. to move that domain into the Subject / Common • Click the top button Name field • To add SANs to the request.

• • Click User Agreement to view it Click I agree to the User Agreement • Click Submit. 5. .2 • Submit Request and Download Certificate Continuing from the above section. download either the DER or the Base64 file.P7B file does not work at this time when using the automated tool. Failure to do so will result in a certificate with no private key. • Save the file to a known location as the Subject / Common Name specified in section 5.Note: The above graphic shows a certificate request with SAN’s. The certificate download page is presented. Note: The .1 6 6.1 Process Certificate Request Process Request In order for the public and private keys to be associated you must install the just downloaded certificate into the local computer personal certificates store on the same machine.

Click Next 9. Click Finish 17. The exported certificate file may now be used as needed . Click Next 5. Export the private key 6. Leave Enable Strong Protection enabled 10. Click Yes. Click Next 7. Enter password and confirm it 11. Click Next 16. Click Next 12. Click Next 14. Choose All Tasks 3. Click Include all certificates in the certification path if possible 8. conduct the following steps: Import the certificate file • • • • • • • • • • • • • • • • • • • • • • • • • • Click Start Click Run Type MMC Click OK Click File Click Add/Remove Snap In Click Certificates Click Add Click Computer Account Click Local Computer Click Finish Click Close Click OK Expand Certificates Expand Personal Right click Certificates Click All Tasks Click Import Click Next Browse to the certificate file saved in previous steps Click Next Verify details Click Next Double click the newly imported certificate Verify it has the private key Click OK Export the certificate 1. Verify details 15. Enter name (recommend using the established common name) and browse to a known location to save the file 13. Right click the certificate 2. Choose Export 4.To import the file into the Local Certificates store.

1 Install in IIS and Export Export PFX using IIS MMC The certificate is now installed in the computer account’s personal store. • • • • • • • o o If Assign an existing certificate is not an available option.PFX. 7 7.txt to email the file. Follow the below instructions to export the PFX.Note: The extension must be changed to . however it must be manually assigned to a site in IIS for it to work. Exchange will block it if sent as a . Remove the certificate by clicking Remove the current certificate . a certificate is already assigned to this site. • Click Start • Click Run • Type inetmgr • Click OK • Expand Local Computer • Expand Web Sites • Right click Default web site • Click Properties • Click Directory Services • Click Server Certificate • Click Next • Click Replace the current certificate • Click Next • Select the newly imported certificate • Click Next • Verify details • Click Next • Click Finish • View the certificate to verify that it has a private key Expand Web Sites Right click the appropriate web site and select Properties Click Directory Security Click Server Certificate Click Next Click Assign an existing certificate Click Next.

pfx file Specify path and filename Click Next Enter and confirm password Click Next Review summary Click Next Click Finish Close the IIS MMC • • • • • • • . and making sure that all required domains URL’s are listed. selecting the Subject field. Click Server Certificate Click Next Click Export the current certificate to a .o o o Click Next Click Finish Restart this process from “Expand Local Computer” (see above) • • • Click the certificate Click Next Specify SSL port Click Next Review summary Click Next Click Finish Click View Certificate and ensure the correct cert was assigned Close the certificate dialog • • • • • • o • • • • Additional verification can be performed by clicking the Details tab.

DER.PFX or . Remember to clean up any copies of the file on public shares.txt and when it is received that person can change it back to . . Also remember .to email the certificate anywhere you will need to change the extension of it to .8 Conclusion The PFX file is now suitable for deployment on front-end web servers.