Saturday, April 7, 2018

Renewing a TLS Certificate for IIS HTTP and FTP

A existing TLS certificate for IIS may be renewed without creating a renewal request, by having the issuer provide the updated certificate using the original public key. The example here uses GoDaddy as the issuer.

Part 1 - Install Intermediate Certificates

Godaddy provides a zip file with the new certificate and one or more intermediaries. Extract the files and install the intermediaries using the Certificates snap-in for MMC. In some servers you can get directly there by searching for "Manage Computer Certificates." If that doesn't work open the Microsoft Management Console (MMC):

  1. From the File menu choose Add/Remove Snap-in.
  2. In the dialog add Certificates on the left to the right-hand view.
  3. In the new dialog select "Computer Account" and click Next.
  4. Select "Local Computer" and click Finish.
  5. In the first dialog click OK.

To install the intermediaries (one at a time):

  1. Right click on "Intermediate Certification Authorities", select "All Tasks," and then "Import..."
  2. The first dialog should be fixed at "Local Machine," click Next.
  3. Browse and pick the intermediate certificate file, then click Next.
  4. Place the certificates in the "Intermediate Certification Authorities" store and click Next.
  5. Click Finish on the next dialog page.

Leave the Certificate manager open, we will need it again.

Part 2 - Install the TLS Certificate

The certificate is added in IIS by "completing" a certificate request:

  1. Open the IIS Manager.
  2. Click on the server.
  3. Click on "Server Certificates."
  4. On the  task list at the right, choose "Complete Certificate Request."
  5. Pick the certificate file and enter the Friendly Name (the public domain name of the server), and click OK.

The certificate will NOT appear if you try to bind it to the HTTP or FTP site. You must bind it to the private key first, because IIS did not see the connection.

Part 3 - Bind the TLS Certificate to the Private Key


Back in the Certificate Manager we will bind the new certificate to the private key:

  1. Expand the "Personal" store in the the tree on the left, and then the "Certificates" branch.
  2. Double-click the newly installed certificate, and in the dialog choose "Details."
  3. Open a command prompt as an Administrator.
  4. Run the command "certutil -repairstore my serial_number" replacing serial_number with the certificate serial number (remove the spaces).
  5. If it does not work, the private key is not on this server. Either transfer the private key to this server, or start over by making a new certificate request and have your certificate re-issued.
  6. When done, close the command window and the Certificate Manager.


Part 4 - Bind the TLS Certificate to HTTP or FTP




  1. In the IIS manager select the FTP site.
  2. Open FTP SSL Settings.
  3. Select the correct certificate.




  1. Open the HTTP Web site.
  2. In the task list at the right select "Bindings..."
  3. Create the binding to the certificate using the URL and port required.

No comments:

Post a Comment