Install Server Certificate for IIS 6 or 5 Rumi, May 8, 2011May 8, 2011 The following document is partly based on this Microsoft document: How to Import a Server Certificate for Use in Internet Information Services 5.0 (Q232137) Add Certificates snap-in to MMC Click Start, and then click Run. Type "MMC.EXE" (without the quotation marks) and click OK. Click Console in the new MMC you created, and then click Add/Remove Snap-in. In the new window, click Add. Highlight the Certificates snap-in, and then click Add. Choose the Computer account option and click Next. Select Local Computer on the next screen, and then click Finish. Click Close, and then click OK. You have now added the Certificates snap-in, which will allow you to work with any certificates in your computer's certificate store. You may want to save this MMC for later use. Import server certificate to computer's certificate store Expand the Certificates (Local Computer) snap-in tree and navigate to Personal, and then Certificates. Note: Certificates may not be listed. If it is not, that is because there are no certificates installed. Right-click Certificates (or Personal if that option does not exist.) Choose All Tasks, and then click Import. When the wizard starts, click Next. Browse to the *.p12 file you received from CUHK CA. This file contains your server certificate and private key. Click Next. Enter the PKCS12 password of the *.p12 file. Note: Click here if you forgot the password. (Please login with your Computing ID. You can only review those server certificate applied by yourself.) Be sure the Mark the private key as exportable option is selected if you want to be able to export the key pair again from this computer. As an added security measure, you may want to leave this option unchecked to ensure that no one can make a backup of your private key. Click Next, and then choose the Certificate Store you want to save the certificate to. You should select Personal because it is a Web server certificate. Click Next, then click Finish. You will now see the server certificate for your Web server, and 4 other CUHK CA certificates in the list of Personal Certificates. It will be denoted by the common name of the server (e.g. www.somedept.cuhk.edu.hk). If you want to enable authentication with client certificate in your IIS, continue with the next step. Otherwise, you may skip to the next section. Click this link: CUHK Root CA (2000). In the File Download dialog box, where you're asked if you would "like to open the file or save it to your computer", choose Open (or Open this file from its current location in IE). A Certificate dialog box will be opened, click Install Certificate … Click Next, then choose "Place all certificates in the following store", then click Browse. In the newly opened window, click the Show physical stores checkbox, then expand Trusted Root Certification Authorities from the tree above, and select Local Computer. Click OK, Next, and Finish. Click OK twice to close all certificate import dialog boxes. Configure IIS to enable SSL Now that you have the certificate imported into the certificate store, you can enable Internet Information Services 5/6 to use that certificate (and the corresponding private key). To do this, perform the following steps. Open the Internet Services Manager (under Administrative Tools) and navigate to the Web site you want to enable secure communications (SSL/TLS) on. Right-click on the site (usually Default Web Site) and click Properties. Click the Directory Security tab. Under the Secure Communications section, click Server Certificate. This will start the Web Site Certificate Wizard. Click Next. Choose the Assign an existing certificate option (or Replace the current certiicate for renewal) and click Next. You will now see a screen showing that contents of your computer's personal certificate store. Highlight your Web server certificate (denoted by the common name, e.g. www.dept.cuhk.edu.hk), and then click Next. You will now see a summary screen showing you all the details about the certificate you are installing. Be sure that this information is correct or you may have problems using SSL or TLS in HTTP communications. Click Next, and then click Finish to exit the wizard. You will now back to the Web Site Properties window. Click Edit… Click Require secure channel (SSL) if you want to restrict users to access your site with https, and not http any more. Click OK twice. You should now be able to use a browser to connect to your web server via https. Administrations Configurations (Windows) PKI