Top
Top
LibraryEASYProcess Installation/UpgradeSSL Certificate
Create SSL Certificate Request (CSR)
Complete Certificate Request
Applying a Certificate When on AWS
Missing CA Intermediate Certificate

Create SSL Certificate Request (CSR)

  • Click Create Certificate Request once in Server Certificates from IIS on Web Server. You will need the following info:
  • Note: The following characters are not accepted when entering information: < > ~ ! @ # $ % ^ * / \ ( ) ? &

Common name: The fully-qualified domain name (FQDN) (e.g., www.example.com). This must match exactly what you type in your web browser or you will receive a name mismatch error. An SSL certificate issued for www.coolexample.com is not valid for secure.coolexample.com. If you want your SSL to cover secure.coolexample.com, make sure the common name submitted in the CSR is secure.coolexample.com. If you are requesting a wildcard certificate, add an asterisk (*) on the left side of the Common Name (e.g., *.coolexample.com or *.secure.coolexample.com). The wildcard allows it to be used with multiple subdomains of a domain (payment.example.com, contact.example.com, login-secure.example.com, etc.)

Organization: Your company’s legally registered name (e.g., YourCompany, Inc.).

Organizational unit: The name of your department within the organization. This entry will usually be listed as "IT", "Web Security", or is simply left blank.

City/locality: The city where your company is legally located. Do not abbreviate.

State/province: The state/province where your company is legally located. Do not abbreviate.

Country/region: The two-letter ISO code for the country/region where your company is legally located. Use the drop-down list to select your country.

  • On the Cryptographic Service Provider Properties page, provide the information specified below and then click Next.
  • Cryptographic service provider: In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider (unless you have a specific cryptographic provider).
  • Bit length:               In the drop-down list, select 2048 (unless you have a specific reason for using a larger bit length).
  • On the File Name page, under Specify a file name for the certificate request, click the ... button to specify a save location for your CSR. Note: Remember the filename and save location of your CSR file. If you enter a filename without specifying a location, your CSR will be saved to C:\Windows\System32.
  • When you are done, click Finish.


Complete Certificate Request

  • Click Complete Certificate Request from the Actions panel on the right once in Server Certificates from IIS on Web Server.
  • To locate your certificate file, click .... In the Open window, select *.* as your file name extension, select your certificate (it might be saved as a .txt, .cer, or .crt), and then click Open.
  • In the Complete Certificate Request window, enter a Friendly name for the certificate file.
  • For the certificate store for the new certificate, there are two options: Personal and Web Hosting. The personal and website hosting area work the same, the only difference between these two area is that the webhosting area is designed to scale higher number of certificate. For lightweight scenarios (when you have less than 20-30 certificates) you can use any, Personal or WebHosting store. You can also look at the previous certificate and scroll to the right to see which option was previously used. Likely Personal.
  • Once complete, view the certificate to confirm there are no errors in general certificate information. Click the Certification Path tab and select all options to check the Certificate Status for each and confirm there are no errors here.

Change the Site Binding

  • Go to the default website under Sites in the left hand side of IIS. Click Bindings... from the Actions panel on the right.
  • There are three values that can be used in a site binding:  IP Address, Port and Host Name.  In the default website you see that the only values specified are the Port and IP Address.  The default site is bound to port 80 on any IP address that does not have another binding.  This gives you a “fallback” website for all requests that come to your server on port 80 and do not match any other site bindings.
  • IMPORTANT:  When setting up site bindings on your Dedicated or Cloud server, all site bindings must be unique.  The combination of IP address, port and host name must be different from all other site bindings on your server. If you already have a binding to the site you are adding a certificate to, just edit the existing one and change the selected certificate.
  • Click Add... In the Add Site Binding Window:
  • For Type, select https
  • For IP address, select All Unassigned, or the IP address of the site.
  • For Port, type 443.
  • For Host Name, type your website host name.
  • For SSL Certificate, select the SSL certificate you just installed, and then click OK.

Change the Web.config File

When in the AWS Cloud

  • Install URL Rewrite module (depending on IIS version)
  • Put this in the Web.config under System.webServer tag

<rewrite>

        <rules>

                <rule name="Redirect to HTTPS" enabled="true" stopProcessing="true">

                        <match url="ep_ping.aspx" negate="true" />

                        <conditions>

                                <add input="{HEADER_X-Forwarded-Proto}" pattern="https" negate="true" />

                                <add input="{REMOTE_HOST}" pattern="localhost" negate="true" />

                                <add input="{REMOTE_ADDR}" pattern="127.0.0.1" negate="true" />

                                <add input="{HTTP_HOST}" pattern="localhost" negate="true" />

                        </conditions>

                        <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />

                </rule>

        </rules>

</rewrite>

When not in the AWS Cloud

  • Install URL Rewrite module (depending on IIS version)
  • Put this in the Web.config under System.webServer tag

<rewrite>

            <rules>

                <rule name="HTTP to HTTPS" stopProcessing="true">

                    <match url=".*" />

                    <conditions>

                        <add input="{HTTPS}" pattern="OFF" />

                    </conditions>

                    <action type="Redirect" url="https://www.[YourSite].com/{R:0}" redirectType="Permanent" />

                </rule>

            </rules>

        </rewrite>

  • change the url from [YourSite] to your site.


Applying a Certificate When on AWS

Additional steps are required from the AWS console to use the certificate. Without this step, it will continue trying to use the KRise cloud cert despite having followed all the correct steps.

How to Resolve

  • After completing the request in IIS, you will need to export your private key
  • Go to run and type mmc.exe

  • Go to File -> Add Remove Snap In. Add Certificates -> Computer Account -> Local Computer -> OK
  • Go to Certificates -> Personal -> Certificates:

  • Right click on your certificate and choose All Tasks -> Export -> Next -> Yes, export the private key -> Next -> Type in a password you’ll remember -> save it to the C:\ drive with an easy to type filename. -> Finish
  • Open a CMD -> cd C:\Program Files\OpenSSL-Win64\bin -> openssl

  • pkcs12 -in C:\<EASY TO TYPE FILENAME>.pfx -out C:\<WHATEVER YOU WANT>.pem
  • If that command causes the private key to be invalid when you input it into the aws console, redo this step and add -nodes to the end so ti will look like this pkcs12 -in C:\<EASY TO TYPE FILENAME>.pfx -out C:\<WHATEVER YOU WANT>.pem -nodes
  • Type in the password you set and hit enter, enter a minimum 4 character password for PEM pass phrase, and verify it. You should then find your output pem file in the C drive, you can open it in notepad and you should have a private key and some certificates.
  • Go to AWS Console and go to Certificate Manager -> Import a Certificate
  • In Certificate Body put the first output from your PEM that is wrapped in “Begin Certificate” all the way to “End Certificate. If there are more Begin and End certificates below, put those in the certificate chain. Just copy from the first Begin Certificate all the way to the last End Certificate getting everything in between. For Certificate Private Key, copy the Begin Encrypted Private Key section to  End Encrypted Private Key. You should then be able to review and import, then Import.
  • Next to go EC2 Manager in AWS and go down to Load Balancers. Select Web-ALB-00-v00. Go to the Listeners Tab, under HTTPS:443, click on View/edit certificates. Click on the + Icon at the top, here you should see the certificate we just imported. Check it and click Add.
  • Go back to the Certificate Manager and you should see your newly imported certificate marked as “In Use: Yes” after a while – you should be good to go. You may need to close your browser and reopen if you got a bad SSL message at any point before completing this setup for your website.


Missing Certificate Authority (CA) Intermediate Certificate

Issue: “Windows does not have enough information to verify this certificate”

If after completing the Certificate Request, if a CA Intermediate Certificate is missing, the site will not show as secure. When clicking the 'View Certificate' on the page, it will show the error: “Windows does not have enough information to verify this certificate”. In order to resolve, the required Intermediate Certificate must be found and also installed.

How it Works

A certificate authority (CA) is a trusted entity that issues digital certificates

An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate and ending with the SSL certificate issued to you.

An intermediate certificate is the certificate, or certificates, that go between your site (server) certificate and a root certificate. The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser. The SSL certificate that the file is digitally signed with is not trusted by the OS.

How to Resolve

  • Click 'View Certificate' and go to Certification Path. If there is a tree, one of the nodes will says "The issuer of this certificate could not be found."
  • Click the Details tab and select the issuer. Here you can see the details about the issuer. If you check the certificate stores you'll see that there is no corresponding certificates for this issuer and therefore cannot be trusted. You will need to download the root certificates.
  • You can either get them from the client or see if the issuer has a support document or page that allows you to download it.
  • Once you have it, follow the following steps to install the certificate
  • Open Microsoft Management Console (Start --> Run --> mmc.exe);
  • Choose File --> Add/Remove Snap-in;
  • In the Standalone tab, choose Add;
  • Choose the Certificates snap-in, and click Add;
  • In the wizard, choose the Computer Account, and then choose Local Computer. Press Finish to end the wizard;
  • Close the Add/Remove Snap-in dialog;
  • Navigate to Certificates (Local Computer)
  • Choose a store to import:
  • If you have the Root CA certificate for the company that issued the certificate, choose Trusted Root Certification Authorities;
  • If you have the certificate for the server itself, choose Other People
  • Right-click the store and choose All Tasks --> Import
  • Follow the wizard and provide the certificate file you have;
  • Return to the SSL Certificate in IIS and view certificate. The error should no longer appear.


Powered by EASYProcess (© 2019 K-Rise Systems, Inc).