[This is preliminary documentation and subject to change]

Obtaining a Server Certificate

There are two ways to obtain a server certificate. You can issue your own certificate, or you can obtain a certificate from a certification authority. The following procedures explain how you can implement certificates on your server. To learn more about certificates, see About Certificates.

Important    It is important to safeguard the certificate and key pair; always back them up onto a disk and keep the disk in a secure place.

• To issue your own server certificate
• To obtain a server certificate from a certification authority
• To create a backup copy of your server certificate and private key

To issue your own server certificate

Consider the following issues when deciding whether to issue your own server certificates:

• Consider the features offered by the certificate service; Microsoft Certificate Services 2.0 accommodates different certificate formats and provides for auditing or logging of certificate-related activity.
• Compare the cost of issuing your own certificates against the cost of buying a certificate from a certification authority.
• Your organization may require an initial adjustment period to to learn, implement, and integrate Certificate Services with existing security systems and policies.

1. Use Certificate Services to create a customizable service for issuing and managing certificates. You can create server certificates for the Internet or for corporate intranets, giving your organization complete control over certificate management policies. For more information, see the Microsoft Certificate Services documentation.
2. Use the Web Server Certificate Wizard to request and install your server certificate.

Notes

• Online requests for server certificates can only be made to local and remote Enterprise Certificate Services and remote Stand-alone Certificate Services. The IIS Web Server Certificate Wizard does not recognize a stand-alone installation of Certificate Services on the same computer when requesting a certificate. To get around this, use the offline certificate request to save the request to a file and then process as an offline request (see the Certificate Services documentation).
• If you open your SGC certificate, you might receive a notice on the General tab saying, "The certificate has failed to verify for all of its intended purposes." This notice is issued because of the way SGC certificates interact with Windows 2000 and does not necessarily indicate that the certificate does not work properly.

To obtain a server certificate from a certification authority

If you are replacing your current server certificate, IIS will continue to use the old certificate until the new request has been completed.

1. Find a certification authority that provides services that meet your business needs and then request a server certificate.

   Consider the following issues when choosing a certification authority:

   • Will the certification authority be able to issue you a certificate that is compatible with all browsers used to access your server?
   • Is the certification authority a recognized and trusted entity?
   • How will the certification authority provide verification of your identity?
   • Does the authority have a system for receiving online certificate requests, such as requests generated by the Web Server Certificate Wizard?
   • How much will the certificate cost initially and for renewal or other services?
   • Is the certification authority familiar with your organization or company's business interests?

   For the latest list of certification authorities supporting Internet Information Services, visit the Microsoft Security Services Partner Program Web site. In the Search by Product & Technology list, select IIS or PKI and Certificates.

2. Use the Using the New Security Task Wizards to create a certificate request, which you can send to the certification authority.
3. Send the request to the certification authority. They will process the request and send you the certificate.

   Note    Some certification authorities require you to prove your identify before processing your request or issuing you your certificate.

4. Use the Using the New Security Task Wizards to install your certificate.

   Note    When you send an online request for a server certificate assigned to your server using the Certificate Wizard in the IIS snap-in, a certificate assigned to the certificate authority (CA) may be installed on your server. The folder "Issued Certificates" shows a certificate issued to your server, but the certificate is actually issued to the CA.

   To work around this problem, go off line while creating your certificate request. In the Certificate Wizard, select "Prepare the request now, but send it later." Do not select "Send the request immediately to an online certification authority."

Creating a backup copy of your server certificate and private key

In the previous release of IIS, Key Manager was used to back up server certificates. In this release of IIS, the Web Server Certificate Wizard replaces Key Manager. Because IIS works closely with Windows, you can use the Certificate Manager tool to export and back up your server certificates.

To back up your server certificate

1. Locate the correct certificate store. This is typically the Local Computer store in Certificate Manager.

   Note    If you do not have Certificate Manager installed in the MMC, you will need to install it.

2. Select the certificate in the Personal store.
3. Open the Action menu, point to All tasks, and click Export.
4. In the Certificate Manager Export Wizard, select Yes, export the private key.
5. Follow the wizard default settings, and enter a password for the certificate backup file when prompted.

   Important    Do not select Delete the private key if export is successful, because this will disable your current server certificate.

6. Complete the wizard to export a backup copy of your server certificate.

To add Certificate Manager to the MMC

If you already have Certificate Manager installed in the MMC, it will point to the correct Local Computer certificate store.

1. Open an MMC console and select Add/Remove Snap-in from the File menu.
2. Click Add.
3. Select Certificates.
4. Click Add.
5. Select the Computer Account option.
6. Select the Local Computer option.
7. Click Finish.

Server Certificates and Upgrades

Due to changes in the way that IIS uses server certificates, you may experience difficulty removing and reassigning your server certificate after an upgrade to Microsoft Windows. To fix this problem, use the Visual Basic script below to change metabase settings and to remove the certificate. You can then use the Web Site Certificate Wizard in IIS to reassign the certificate.

© 1997-2001 Microsoft Corporation. All rights reserved.