I need to create a self signed SSL certificate and the install the same certificate on two different web servers. For this specific scenario I have two web servers (Win2K3 w/ II6) in a network load balanced configuration.
I have installed the IIS resource tool kit and can use the SelfSSL tool to make a certificate. However my confusion comes from that the tool only registers the certificate on the current machine. How do I go about extracting the certificate in a form that I can then register it on the other web server?
I am not partial to the SelfSSL tool at all, so if I am going about this entirely wrong I am open to alternative instructions. I have seen instructions on how to generate .cer files using OpenSSL but I was really trying to hold off on install OpenSSL unless I really had to.
Thanks!
Preface
These instructions are probably not of much help to anyone, since both Windows 7 and IIS 7 are not supported anymore. However, I felt compelled to answer this question because it was currently the oldest unanswered question on Stackoverflow and I felt I could provide an accurate answer based on multiple sources.
With that out of the way, you should be able to extract the certificate generated by SelfSSL through the Microsoft Management Console and subsequently install it on other web servers using IIS Manager. Since you asked this question in 2008, the following instructions should be appropriate for your timeframe.
Step 1: Extracting the certificate
These are the relevant steps from this article on HowToGeek.
First, run the command mmc to open the Management Console:
In the console, go to File > Add/Remove Snap-in.
Add Certificates from the left side.
Select Computer account.
Select Local computer.
Click OK to view the Local Certificate store.
Navigate to Personal > Certificates and locate the certificate you setup using the SelfSSL utility.
Step 2: Installing the certificate.
Now that you have successfully extracted the certificate, the next step is to install it into an IIS web server. Again, these instructions from SSL Store for IIS 7 should be appropriate for your timeframe.
1. Launch IIS Manager
Click Start, Control Panel, Administrative Tools, and then select Internet Information Services (IIS) Manager.
2. Select your server name
In the left Connections menu, select the server name (host) where you want to install the certificate.
3. Navigate to the Security section
In the center menu, click the Server Certificates icon under the Security section near the bottom.Microsoft IIS 7 Step4
4. Click Complete Certificate Request
In the right Actions menu, click Complete Certificate Request.Microsoft IIS 7 Step5
5. Browse to your Server Certificate
In the Complete Certificate Request wizard, click “…” to browse and select Your Server Certificate file that was previously saved on your server’s desktop.
6. Name your certificate
Enter a Friendly Name which is an internal reference name to distinguish the file later. We recommend including the CAs name and expiration date.Microsoft IIS 7 Step7
7. Click OK
Click OK and the newly installed certificate should appear in the refreshed Server Certificate List.
Related
I am a student and for my dissertation I need to configure a Windows Server to be a file server which uses FTP over SSL for file sharing so a user can download a file from the server.
What do I need to do that in terms of setting up the service and calling it from another machine later on?
Thanks in advance.
Step 1. Install an SSL certificate on the server.
You can buy the SSL certificate from your webhost
Your webhost should also have instructions for installing the certificate
If you can't find instructions, try this: GoDaddy SSL Instructions
Step 2. Set up an FTP server on your Windows server
You can set up an FTP server using IIS (Internet Information Services) which is installed by default on every Windows Server.
Once you open IIS, right click on the Server name and select add FTP Site.
Give it a name and a location where you want to save the files that you'll be uploading
You can leave the IP on All Unassigned and port on 21
Select Require SSL and use the Select button to navigate to your certificate
Enable basic authentication, leave anonymous disabled
Step 3. Grant user permissions
Open Computer Management and navigate to "Users" under System Tools / Local Users and Groups.
If there is no user called ftpuser, create one.
In File Explorer, right click on the folder where you'll be storing your files, select Properties and go to the Security tab.
Click the Edit button, then Add
Enter in the name of your ftp user, click Check Names, then OK.
Your ftp user should now be listed in the security tab. Select this user and then grant Modify, Read & execute, List folder contents, Read, Write. Click OK.
In IIS, select your ftp site and then double click "FTP Authorization Rules". Add a new rule for a specific user (ftpuser) and select Read and Write.
Step 4. Connect to your FTP server from your local machine
There are many ways to connect to your ftp server including a browser or file explorer, but arguably the best way to do this is to use an FTP client.
A good free FTP client is Cute FTP. I recommend it, but there are many others.
After you've installed an ftp client, enter in your host name (domain or server ip), user (ftp user you created), password and port number (should be 21).
Now you can drag and drop from and to your server.
Bob's your uncle.
I have a GoDaddy SSL certificate installed in my Azure web role. It works for most clients, but some clients complain that the certificate is "not trusted". In particular, I have an Azure Scheduler Job wired up to periodically POST to an https endpoint in my web role, but the POST fails. After some investigation, it turns out that the POST fails because the SSL certificate is "not trusted".
The fact that my SSL certificate is not wired up completely correctly is also verified by examining my domain using this tool:
https://www.digicert.com/help
I understand that many clients (web browsers) have the GoDaddy certificate chain (that is, the "intermediate" certificates that get from my SSL certificate to the GoDaddy root CA) baked into them. But some clients (such as the Azure Scheduler) expect my web server to provide not only my SSL certificate but also all of the intermediate certificates up to the root CA.
How do I include the intermediate certificates in my Azure web role?
Note: I am asking this question with the intent of answering it myself (now that I've struggled for a week to figure it out).
Overview of the answer
You need to manually add the intermediate certificates to the Web role "certificates" (in Visual Studio), and you need to upload the intermediate certificates to your Azure Web Role.
Step 1: Convert the p7b file to a pfx for upload to Azure
This step is derived from this article.
Download your certificate files from GoDaddy. That gets you a zip file that contains a crt file and a p7b file. The crt file contains your SSL certificate, but it's not fully baked until you complete the CSR request. See below for details. The p7b file contains the GoDaddy intermediate certificates.
Complete the CSR request using the crt file. See this SO answer for details.
Open the Windows Certificate Manager (certlm.msc)
Import the p7b file into the Local computer/Intermediate Certifcation Authorities/Certificates node.
Export the SSL certificate and its dependencies as a .PFX file. This step works if you export the certificate using Certificate Manager (certlm.msc), but not (as far as I can tell) if you export the certificate using IIS Manager. Find your SSL certificate in the Personal/Certificates node, right-click, and select All tasks.../Export. Tell the wizard to export the private key, and include all certificates in the path and all extended properties.
Step 2: Upload the certificates to the Azure Web Role
Upload the pfx file that you created in the previous step to the Certificates in your Azure Web Role. This will add your SSL certificate and all of the intermediate certificates up to the root CA to your Azure web role.
Step 3: Add the certificates to your Web Role project
This step is loosely derived from this article.
In Visual Studio, navigate to your Web Role (Solution/Azure project/Roles/Your web role), right-click, and select Properties
In the Properties window, select Certificates
Now, you need to manually add a new certificate (actually, you are just adding a new certificate thumbprint) for each intermediate certificate. You can either copy-and-paste the thumbprints from the Azure Portal "Certificates" web page, or (with a little extra work) you can get them directly from the local Windows certificate store.
If you want to get the thumbprints using the built-in "read the certificate from my computer" magic in Visual Studio, you need to first:
Open the Windows Certificate Manager (certlm.msc)
Import the pfx file containing your intermediate certificates into the Personal/Certificates node
Meanwhile, back in Visual Studio, for each intermediate certificate:
Click "Add certificate", then
Enter a meaningful name for the intermediate certificate (the name is for your reference only; it's not used for anything)
Set the Store Name to CA.
Enter the certificate Thumbprint. You can copy-and-paste it from the Web Role/Certificates page in the Azure portal, or, if you've imported the certificates into your personal certificate store (as described above) you can get it by clicking the ellipses in the Thumbprint box and selecting the certificate.
Step 4: Publish and test
Whew. So, now you've converted the p7b and crt files to a pfx file that contains your SSL certificate plus the GoDaddy certificates. You've uploaded the certificates to Azure, and you've added them to your Visual Studio project.
Publish your new project to Azure. You can test your website's SSL using either of these online tools:
https://www.sslshopper.com/ssl-checker.html
https://www.digicert.com/help
I have a certificate generated by Salesforce with crt extension
I exported it to a .cer file on windows (open it -> Details -> copy to path )
I've installed cer file on IIS Manager
I had an error
Cannot find the certificate request associated with this certificate file
I followed the corresponding KB
Now I know my certificate is installed and I have a Friendly name for it, but it still not appearing in IIS.
How can I make a certificate installed on Windows appear in IIS certificates ?
Edit
More about how I got the certificate. There are two companies, one that work with Salesforce and mine.
We are trying to consume a WCF Service from Salesforce Apec Callout.
We choose Transport security with certificate authentication.
For that purpose salesforce team provide a certificate they created, I don't know how. I didn't provide any private key. I guess it's a certificate without official CA.
I'm trying to install it on server were my WCF service is hosted by IIS.
Apologies for what is probably a question about a simple task but I'm brand new to Azure and a little worried I get this wrong. Actually, I have a new client and don't even have the access yet to their Azure yet have a proper look. The question is:
My new client has an existing MVC application running on IIS within Azure. This application must communicate with a third party SOAP (.asmx) web service that requires parts of the SOAP message to be signed using an SSL digital certificate.
So, I need to install the certificate on Azure. My problem is that the articles I have found deal with securing the website using the certificate and Https - which I don't want.
Can someone please point me to a good article (or show here if simple enough) that shows how to install it for the purpose of communicating with this third party service?
Any help is really appreciated here so that I can hit the ground running.
The approach for installing any certificate is the same. So you would use the same approach as you would for installing SSL certificate. So the steps would be:
Upload the certificate first in the cloud services certificate section. Note down the certificate thumbprint.
In Visual Studio, open up your role's properties and go to "Certificates" tab and specify that certificate thumbprint along with the certificate store location where you want this certificate to be installed.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I have been using the new Windows Azure Websites preview to build a site for a customer. I recently deployed this site, and moved it to a reserved instance so that I could configure a custom domain for the site as required by the customer. So far so good.
My next step is to secure the site using an SSL certificate. I have searched long and hard on the azure website (as well as stackoverflow) but have not been able to locate any information on how to configure an SSL cert for a reserved website instance.
I have seen many examples of doing this with a web role (cloud service) but not for a reserved website.
Does anyone know if this is currently possible? Or is this perhaps one of the reasons why azure websites are still in a preview mode?
Update: Found a post on the Azure Forum indicating that this is not possible in the current release, but is coming soon in a future release. http://social.msdn.microsoft.com/Forums/en-US/windowsazurewebsitespreview/thread/4bf975e7-56c0-4a4d-bb6a-b9b82f0da469
I did a quick google and found this link. It has some useful information.
Thanks to #twomm here is a TLDR of the situation:
just to keep everybody from clicking through, this is the current state there: "We are shooting for April or May for this feature"
As of 3, June 2013 Azure Web Sites now supports SSL for custom domains for reserved web sites according to Azure Pricing Details Page.
Two type of SSL connections are supported.
1 - Server Name Indication (SNI) SSL connections which works on modern browsers.
2 - IP-based SSL which works on all browsers.
Currently Azure supports shared SSL certificate only. Custom SSL certificates aren't supported yet, however Microsoft is planning to introduce them very soon.
With shared security you can access the same https site with https.
I see that this post and the answers are from a couple years ago. Now that it is possible to add an SSL certificate to Azure for a custom domain, I thought it would be useful to post a full solution here.
The MSDN blog post that I have followed to install a GoDaddy certificate on Windows Azure site is Avkash Chauhan's Complete Solution: Adding SSL Certificate with Windows Azure Application . He doesn't detail the Certificate Authority part, but I added steps below referring to how it is done on GoDaddy. His blog and another he links to have great detail about the whole rest of the process. My summary of all the steps is:
Purchase your SSL credit at GoDaddy
Use the credit to create or renew your SSL Certificate on GoDaddy. As part of the creation process, GoDaddy will ask you for your Certificate Signing Request (CSR). The CSR should be created on your LOCAL IIS server, as follows
In your local IIS 7 Manager, go to Server Certificates and choose Create Certificate Request... on the right. This is where you specify your domain name and details, including the encryption strength. Choose 2048-bit or higher. And RSA as the Cryptographic Provider
Once the CSR file is created, paste the contents into the GoDaddy creation form. It will take 5 to 10 minutes for the certificate creation to complete.
Download the certificate as a .zip file and save to your computer
Go to IIS 7 Manager again and choose Complete Certificate Request... It will ask you to browse to a *.cer file. Actually, you should use the . filter and browse to the *.crt file that was in your .zip file. Give it a friendly name like MyDomainSSL2015
Now that the certificate is created, highlight it and choose Export to export it to a .pfx file. At this point you will also give the exported file a password.
(The next few steps come from another MSDN post by William Bellamy, linked to in the other post I referenced) Log in to Windows Azure, go to Manage the service where you want to install the certificate, and choose Certificates tab
Click "Upload" at the bottom. It will ask you to browse to your .pfx file and enter the password that you created
Now that your certificate is uploaded to Azure, you still must specify that you want your Role to use it. This can be done in Visual Studio. So open your Visual Studio project
Right click on your role and choose Properties. Go to the Certificates tab
Click Add Certificate. A new line will be created in the grid. Make sure that LocalMachine is selected for the Store Location and CA for Store Name (though My seems to work too).
Click the ellipses in the Thumbprint column. This will show you a list of all your local certificates. Choose the one with the Friendly Name that you created earlier
Go to the Endpoints tab. For your HTTPS Endpoint, choose the SSL Certificate Name that you just added.
Publish your role
That's it. Again, the two blogs I referenced have some more detail and some screen shots, though some of the screen shots are outdated.