Use IIS 10 to create a CSR and install your new SSL certificate on your Windows server 2016

If you are looking for a simpler way to renew your SSL Certificates, see Microsoft IIS 10: Renew Your Expiring SSL Certificate (DigiCert Certificate Utility).

These instructions explain how to use IIS 10 to create your CSR, use your DigiCert account to renew your SSL certificate, and then use IIS 10 to install your certificate and to configure your Windows Server 2016 to use the new certificate.

Process for Renewing Your SSL Certificate:

  1. Use IIS 10 to create your CSR.

    How to Create Your CSR with IIS 10

  2. Renew your SSL certificate from your DigiCert account.

    How to Renew Your SSL Certificate

  3. Use IIS 10 to install your new SSL certificate on your Windows server 2016 and then configure the server to use it.

    How to Use IIS 10 to Install and Assign your New SSL Certificate

 

I. How to Create Your CSR with IIS 10

Best practices are to generate a new certificate signing request (CSR) when renewing your SSL certificate.

  1. On the Windows server 2016 with the expiring certificate, open Internet Information Services (IIS) Manager.

    In the Windows start menu, type Internet Information Services (IIS) Manager and open it.

  2. In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), locate and click the server name.

    IIS 10 - IIS 10 Manager

  3. On the server name Home page (center pane), in the IIS section, double-click Server Certificates.

  4. On the Server Certificates page (center pane), in the Actions menu (right pane), click the Create Certificate Request… link.

    IIS 10 - IIS 10 Manager

  5. In the Request Certificate wizard, on the Distinguished Name Properties page, provide the information specified below and then click Next:

    Common name: Type the fully-qualified domain name (FQDN) (e.g., www.example.com).
     
    Organization: Type your company’s legally registered name (e.g., YourCompany, Inc.).
     
    Organizational unit: The name of your department within the organization. Frequently this entry will be listed as
    IT, Web Security, or is simply left blank.
     
    City/locality: Type the city where your company is legally located.
     
    State/province: Type the state/province where your company is legally located.
     
    Country: In the drop-down list, select the country where your company is legally located.

    IIS 10 - IIS 10 Manager

  6. On the Cryptographic Service Provider Properties page, provide the information below and then click Next.

    Cryptographic In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider,
    service provider: unless you have a specific cryptographic provider.
     
    Bit length: In the drop-down list select 2048, unless you have a specific reason for opting for larger bit length.

    IIS 10 - IIS 10 Manager

  7. On the File Name page, under Specify a file name for the certificate request, click the  box to browse to a location where you want to save your CSR.

    Note: Remember the filename that you choose and the location to which you save your csr.txt file. If you just enter a filename without browsing to a location, your CSR will end up in C:\Windows\System32.

    IIS 10 - IIS 10 Manager

  8. When you are done, click Finish.

 

II. How to Renew Your SSL Certificate

Renew your SSL certificate from inside your DigiCert CertCentral account.

Are you new to the DigiCert team? You can "replace" your certificate with a DigiCert certificate. Order your new certificate here - Purchase Your DigiCert Certificate.

  1. Log into your CertCentral account.

  2. In CertCentral, in the left main menu, click Certificates > Expiring Certificates.

  3. On the Expiring Certificates page, next to the certificate you want to renew, click Renew Now.

    A certificate doesn't appear on the Expiring Certificates page until 90 days before it expires.

  4. Follow the instructions provided inside your account to renew your SSL certificate.

  5. Add your CSR

    When renewing the certificate, you'll need to include a CSR. On the "Renewal" page, under Certificate Settings, upload the CSR file you saved to the server.

    You can also use a text editor (such as Notepad) to open the file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in the Add Your CSR box.

  6. After you place the order to renew your certificate, DigiCert verifies your information.

  7. If we need any additional information, we will promptly contact you by phone or email. If no additional information is required, we will most likely issue your certificate within an hour.

 

III. How to Use IIS 10 to Install and Assign your New SSL Certificate

    Install Your SSL Certificate

  1. On the Windows server 2016 where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer).

  2. Open Internet Information Services (IIS) Manager.

    In the Windows start menu, type Internet Information Services (IIS) Manager and open it.

  3. In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), locate and click the server name.

    IIS 10 - IIS 10 Manager

  4. On the server name Home page (center pane), in the IISsection, double-click Server Certificates.

  5. On the Server Certificates page (center pane), in the Actions menu (right pane), click the Complete Certificate Request… link.

    IIS 10 - IIS 10 Manager

  6. In the Complete Certificate Request wizard, on the Specify Certificate Authority Responsef page, do the following and then click OK:

    File name containing the Click the  box and browse to and select the .cer file (e.g., your_domain_com.cer) that DigiCert sent to you.
    certificate authority's
    response:
     
    Friendly name: Type a friendly name for the certificate. The friendly name is not part of the certificate;
    instead, it is used to identify the certificate.
    We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-digicert-(expiration date).
    This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
     
    Select a certificate store In the drop-down list, select Web Hosting.
    for the new certificate:

    IIS 10 - IIS 10 Manager

  7. Now that you've successfully installed your SSL certificate, you need to assign the certificate to the appropriate site.

  8. Assign the SSL Certificate

    In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to use the SSL certificate to secure.

    IIS 10 - IIS 10 Manager

  9. On the website Home page, in the Actions menu (right pane), under Edit Site, click the Bindings… link.

  10. In the Site Bindings window, select binding for https and then click Edit.

    IIS 10 - IIS 10 Manager

  11. In the Edit Site Binding window, in the SSL certificate drop-down list, select your newly installed SSL Certificate by its friendly name and then, click OK.

    IIS 10 - IIS 10 Manager

  12. Your new SSL Certificate is now installed to the website.

Test Your Installation

If your website is publicly accessible, you can use our DigiCert® SSL Installation Diagnostics Tool to verify that the installation is correct. On the DigiCert®SSL Installation Diagnostics Tool page, enter the DNS name of the site (e.g., www.yourdomain.com) that you are securing to test your SSL certificate.

Troubleshooting

After you've installed the certificate on to the Windows server, if you run into certificate errors, try repairing your certificate trust errors using DigiCert® Certificate Utility for Windows. If this does not fix the errors, contact support.

Related Links

SSL Certificates

SSL Support