Monday, April 20, 2015

How To Get a .PFX File That Can Be Installed on a Windows Website Host (IIS Server)

Here is the definitive guide for installing your third party SSL certificate on an IIS (Microsoft) server, geared for the novice website admin.  Every step here involves working with Windows, clicking and copy-and-pasting -- no openssl command line stuff (whew)!  Every step here, on it's own, will be very well documented elsewhere.  So, for example, if you need to find out how to create an Microsoft Azure VM, just google it.

When I started this process, all I knew was that I needed a .PFX file and all I was able to get from my certificate provider (Go Daddy) was a useless .CRT file.  You might be in the same boat.  If this is the case, you do in fact need a .PFX file, and that .CRT file isn't actually useless.  Here's what you need to do:

Step 0). Buy an SSL certificate if you haven't already.  I purchased a wildcard SSL through Go Daddy since they offered it at a steep discount at the time.  A wildcard SSL, if you don't already know, will secure any subdomain under your main domain.  So, for example, I need to secure "", "" and plain old ""  Also, the wildcard option comes in hand for testing purposes so I can validate a new hosting account with a random sub-domain like this: before I upload the main event (no subdomain, or the main 'www' version) to that host.

1). Go to Azure and create a Windows Server 2012 VM.  Do a "Quick Create" and keep track of your username and password, because you will need them to log into the VM as well as for your .PFX file installation down the road.

2). After the VM is created, log in via Windows Remote Desktop.  The quickest way to do this is to select the VM in your Azure VM list, then click "Dashboard", then click "Connect" toward the bottom of the screen.  This will a file "thevmyoujustcreated.rdp" to be downloaded by your browser.  Opening this file will automatically start up a new Windows Remote Desktop session connected to your new VM.  You will  need to manually enter the username and password you saved from Step 1.  If Windows warns you about connecting to the host, just click OK because you trust the host you're connecting to.

3).  When you log into Windows Server 2012 for the first time, you will be given the option to find / connect to devices.  Click No.  Then the Server Manager will appear automatically.  Under "Configure this local server" click "Add Roles or Features."  Accept the defaults to add something to this server under the current user, etc.  Then, when you're given the option of actually chosing what to add, select "Web Server (IIS)".   All you really need is IIS Manager, and this should be selected by default if you just keep clicking "Next" and then finally "Install" to install IIS Manager.   This installation will probably take a few minutes to finish, so go get yourself another beer.

4). After the progress bar shows the installation is complete, click the Windows 8 style window at the bottom left of the screen, then search for "Internet Information Manager".  When it shows in the list, click it.  Navigate to the IIS Manager Windows.  Click your server name to the left.  If you get the message "Do you want to get started with Microsoft Web Platform ... " Click No.  Now double click "Server Certificates."  On the right side of the window click "Create Certificate Request."  Now, be careful to enter the correct domain into the "Common Name" field.  This is the only field that really matters.  If you only purchased a single domain cert, then enter the single domain (i.e. "").  If you purchased a wildcard cert, then enter "*".  Make sure the spelling is correct.  Then use your best judgement for the rest of the fields.  If this is business domain, enter your business information.  Otherwise enter your personal info (city, state and country is all you specify, nothing too specific).  Click Next.  Under "Cryptographic service provicer:" select "Microsoft RSA SChannel Cryptographic Provider".  Under "Bit length:" select "2048". Then save the text file as something obvious like "csr.txt" to your desktop.

5).  Click the File Manager icon at the bottom of the screen, then open the CSR text file you just created.  It should be plain text with some dashes as the top and bottom and some random characters and numbers in between.  NOTE: This data is specific to the server where you created the request, so you will need to keep this VM long enough to install the cert (a later step) and then get your .PFX file.  After that, you can delete the VM.

6).  Navigate to your certificate provider and paste this CSR text wherever your they tell you to.  As I mentioned earlier, I did this through Go Daddy.  In Go Daddy's SSL management interface, I was able to paste the text directly into a text box within their management interface for my wildcard cert, then click "Save and Update" to formally request that the cert be re-keyed using this CSR.  Go Daddy had my certificate re-keyed and ready to download in a few minutes.  You can either watch the screen or wait for the email.

7).  (Go Daddy specific) Download the zip file containing the .CRT file.  You will only need the .CRT file.  Copy the .CRT file from your local machine to the VM desktop.  Now navigate to your IIS Manager again and, right next to where you clicked "Create Certificate Request", now click "Complete Certificate Request."  Select the "*.*" file option, then open the .CRT file.  Then follow the default options to install the cert in your "personal" certificate store.

8). Under "Server Certificates" you will now see your new certificate listed.  Right click your newly installed cert, then select the option to export.  I believe .PFX will be the output format by default.

9).  Now, take your shiny new, solid gold .PFX file and install it wherever you please.  Also, you will need to remember the password you used to create your VM.  In my experience, as long as you have that .PFX file and password, then you can easily install your cert on any IIS server.

10).  Get yourself another beer, you deserve it!

Also, don't forget to delete your VM.  Even if this process took a full day, you shouldn't be charged more than a buck or two.

Did I miss anything?  Please let me know if there's anything here that needs further explanation.

No comments:

Post a Comment