Ask a Question

Advanced Search

Solution ID : SO22015

Last Modified : 05/02/2018

Managed PKI for SSL- Installation Instructions for Microsoft IIS 7.0 and 7.5

Solution

This document provides installation instructions for Microsoft IIS 7 and 7.5. If you are unable to use these instructions for a Microsoft server, Symantec recommends contacting Microsoft.
 
This solution contains two Methods to install a Certificate:

Method 1: Installing the certificate received via e-mail.

Method 2: Installing the certificate downloaded from Managed PKI for SSL subscriber service page.
  

Method 1: Download and Install the certificate sent via e-mail

Step 1: Obtain the certificate sent via email:

  1. Once the Managed PKI for SSL administrator has approved the Certificate request, you will receive an email with the Certificate attached (cert.cer), as well as in the body of the email itself.
  2. Copy the certificate and make sure to copy the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- header and footer.  Ensure there are no white spaces, extra line breaks or additional characters.
  3. Use a plain text editor such as Notepad to paste the content of the certificate and save it with extension .txt.
    Note: If Microsoft IIS  was selected during enrollment, continue with the installation from here.       
  4. If unsure of which server software was selected during the enrollment, proceed with Step 2 below.
  
Step 2: Download and Install the Intermediate CAs:
 
  1. To download and install the Intermediate CAs, follow the steps from this link.

Step 3: Install the certificate:
 
  1. Click here to proceed with installation steps.
 
 
Method 2: Download and Install the certificate in PKCS#7 format

Step 1: Download the certificate from Managed PKI for SSL subscriber services page:
  1. Download the certificate from Managed PKI for SSL subscriber services page by following the steps from this link
  2. Make sure to download the certificate in PKCS#7 format and save it with the extension .txt or .p7b.
 
Step 2: Install the certificate:           
  1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager.
  2. From the left menu, click the corresponding server name.
  3. In the Features pane (middle pane), under Security, double-click Server Certificates.
  4. From the Actions pane (right pane), select Complete Certificate Request.
  5. Provide the location of the certificate file and the friendly name.
    Note: Friendly name is a reference name for quick identification of the certificate for the Administrator.

    Note: Wildcard certificate, should have a wildcard friendly name. Example: *.symantec.com.

    IIS 7.X  will not allow a SSL host header unless the friendly name starts with * when the certificate is bound to a site.

    At this point the server may respond with one of the two known errors:

    CertEnroll::CX509Enrollment::p_InstallResponse:ASN1 bad tag value met. 0x8009310b (ASN: 267) 
    Click here for the resolution to this message.

    or

    Cannot find the certificate request associated with this certificate file. 
    A certificate request must be completed on the computer where it was created.

    Click here for the resolution to this message.
     

 In IIS 7.0 and 7.5, any new certificate needs to be bound to the HTTPS protocol of the site.


Step 3: Binding certificate to the web site:

  1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager.
  2. Browse to the server name > Sites > SSL-based site.
  3. In the Actions pane, click Bindings.


     
  4. In the Site Bindings window, if there is no existing https binding, choose Add and change Type from HTTP to HTTPS.
    Note: If there is an existing https binding, select it and click Edit.


     
  5. From the SSL Certificate drop down, select the Friendly Name for the certificate that will be used for this site.


     
  6. Click OK.


Step 4:  Verify certificate installation:

  1. To verify the certificate installation, use the Symantec Installation Checker
  2. In some cases you may need to Stop and Start the Web server prior to any testing.
    Note: In some cases the changes may not take place after restarting IIS Services and a re-boot is needed.


Additional Notes:

         If an IP address is not specified when installing the certificate, the same ID will be used for all virtual servers created on the system.
 
         If a server is hosting multiple sites, you can specify that the ID only be used for a particular server IP address.

Microsoft Support
 
        For more information, contact Microsoft.