There are two ways to obtain a server certificate. You can issue your own certificate, or you can obtain a certificate from a certification authority. The following procedures explain how you can implement certificates on your server. To learn more about certificates, see About Certificates.
Important It is important to safeguard the certificate and key pair; always back them up onto a disk and keep the disk in a secure place.
To issue your own server certificate
Consider the following issues when deciding whether to issue your own server certificates:
- Consider the features offered by the certificate service; Microsoft Certificate Services 2.0 accommodates different certificate formats and provides for auditing or logging of certificate-related activity.
- Compare the cost of issuing your own certificates against the cost of buying a certificate from a certification authority.
- Your organization may require an initial adjustment period to to learn, implement, and integrate Certificate Services with existing security systems and policies.
- Use Certificate Services to create a customizable service for issuing and managing certificates. You can create server certificates for the Internet or for corporate intranets, giving your organization complete control over certificate management policies. For more information, see the Microsoft Certificate Services documentation.
- Use the Web Server Certificate Wizard to request and install your server certificate.
Notes
- Online requests for server certificates can only be made to Enterprise Certificate Services. The IIS Web Server Certificate Wizard will not recognize a stand—alone Certificate Services on the same computer. Use the offline certificate request to save the request to a file and then process as an offline request (see the Certificate Services documentation). Online enrollment using a local Enterprise Certificate Services is not affected.
- If you open your SGC certificate, you might receive a notice on the General tab saying, "The certificate has failed to verify for all of its intended purposes." This notice is issued because of the way SGC certificates interact with Windows 2000 and does not necessarily indicate that the certificate does not work properly.
To obtain a server certificate from a certification authority
Note If you are replacing your current server certificate, IIS will continue to use the old certificate until the new request has been completed.
- Find a certification authority that provides services that meet your business needs and then request a server certificate.
Consider the following issues when choosing a certification authority:
- Will the certification authority be able to issue you a certificate that is compatible with all browsers used to access your server?
- Is the certification authority a recognized and trusted entity?
- How will the certification authority provide verification of your identity?
- Does the authority have a system for receiving online certificate requests, such as requests generated by the Web Server Certificate Wizard?
- How much will the certificate cost initially and for renewal or other services?
- Is the certification authority familiar with your organization or company's business interests?
For the latest list of certification authorities supporting Internet Information Services, visit the Microsoft Security Web site at http://backoffice.microsoft.com/securitypartners/. In the By Category list, select Certification Authority Services.
- Use the Web Server Certificate Wizard to create a certificate request, which you can send to the certification authority.
- Send the request to the certification authority. They will process the request and send you the certificate.
Note Some certification authorities require you to prove your identify before processing your request or issuing you your certificate.
- Use the Web Server Certificate Wizard to install your certificate.
Note In the previous release of IIS, Key Manager was used to back up server certificates. In this release of IIS, the Web Server Certificate Wizard replaces Key Manager. Because IIS works closely with Windows, you can use the Certificate Manager tool to export and back up your server certificates.
To back up your server certificate
- Locate the correct certificate store. This is typically the Local Computer store in Certificate Manager.
Note If you do not have Certificate Manager installed in the MMC, you will need to install it.
- Select the certificate in the Personal store.
- Open the Action menu, point to All tasks, and click Export.
- In the Certificate Manager Export Wizard, select Yes, export the private key.
- Follow the wizard default settings, and enter a password for the certificate backup file when prompted.
Important Do not select Delete the private key if export is successful, because this will disable your current server certificate.
- Complete the wizard to export a backup copy of your server certificate.
To add Certificate Manager to the MMC
Note If you already have Certificate Manager installed in the MMC, it will point to the correct Local Computer certificate store.
- Open an MMC console and select Add/Remove Snap-in from the Console menu.
- Click Add.
- Select Certificate Manager.
- Click Add.
- Select the Computer account option.
- Select the Local Computer option.
- Click Finish.
© 1997-1999 Microsoft Corporation. All rights reserved.