TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Microsoft Edge
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Skype for Business
See all products »
Resources
Channel 9 Video
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Windows Update
Trials
Windows Server 2016
System Center 2016
Windows 10 Enterprise
SQL Server 2016
See all trials »
Related Sites
Microsoft Download Center
Microsoft Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Expert-led, virtual classes
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
Microsoft Official Courses On-Demand
Certifications
Certification overview
Special offers
MCSE Cloud Platform and Infrastructure
MCSE: Mobility
MCSE: Data Management and Analytics
MCSE Productivity
Other resources
Microsoft Events
Exam Replay
Born To Learn blog
Find technical communities in your area
Azure training
Official Practice Tests
Support options
For business
For developers
For IT professionals
For technical support
Support offerings
More support
Microsoft Premier Online
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Skip to locale bar
Post an article
Translate this page
Powered by
Microsoft® Translator
Wikis - Page Details
First published by
Kurt L Hudson MSFT
When:
19 Jul 2012 1:57 PM
Last revision by
Ken Cenerelli
(MVP, Microsoft Community Contributor)
When:
5 Sep 2015 12:09 PM
Revisions:
13
Comments:
10
Options
Subscribe to Article (RSS)
Share this
Engage!
Wiki Ninjas Blog
(
Announcements
)
Wiki Ninjas on Twitter
TechNet Wiki Discussion Forum
Can You Improve This Article?
Positively!
Click Sign In to add the tip, solution, correction or comment that will help other users.
Report inappropriate content using
these instructions
.
Wiki
>
TechNet Articles
>
Configure SSL/TLS on a Web Site in the Domain with an Enterprise CA
Configure SSL/TLS on a Web Site in the Domain with an Enterprise CA
Article
History
Configure SSL/TLS on a Web Site in the Domain with an Enterprise CA
There are many web (HTTP) services that require secure sockets layer (SSL) / transport layer security (TLS). If you have an Windows Server-based Enterprise Certification Authority (CA), you can use the following instructions to get an SSL certificate configured for an Internet Information Services (IIS) web server on your domain.
Table of Contents
Configure an appropriate certificate template for SSL certificate
Obtain a certificate for IIS using the certificate template
Configure HTTPS on the Default Web Site
Additional Resources
Configure an appropriate certificate template for SSL certificate
Connect to the Enterprise CA with the appropriate credentials and open the Certification Authority console.
Expand the certification authority so that you can see Certificate Templates.
Right-click Certificate Templates and then click
Manage
. If you don't see these options, then run the following command:
certtmpl.msc
to open the Certificate Templates console.
In the details pane of the Certificate Templates console, right-click the
Web Server
template and then click
Duplicate Template
. If you are prompted to select a template version, select 2003 and then click
OK
.
In the
General
tab, under
Template display name
, type a name that you want to use for the template. For example,
SSL Certificates
.
On the
Security
tab you must ensure the computer account has the ability to enroll for the template. To do so, click
Add
.
In
Select Users, Computers, Service Accounts, or Groups
, type the name of the user or group that you want to use for enrollment. Click
Check Names
, and then click
OK
.
Ensure that the user account or group that you want to use for enrollment is selected and then select the
Allow
checkbox that corresponds to the
Enroll
permission.
Click
Add
.
Click
Object Types
, select
Computers
, and then click
OK
.
Enter the name of the computer running IIS. Click
Check Names
, and then click
OK
.
Ensure that the computer account for the computer running IIS is selected and then select the
Allow
checkbox that corresponds to
Enroll
permission. Click
OK
.
On the
Subject Name
tab select
Build from this Active Directory information
. Set the
Subject name format
to
Common name
. Under
Include this information in alternate subject name
, select the
DNS name
checkbox and clear the
User principal name (UPN)
checkbox.
On
Cryptography
tab and ensure that the template is set to use a
Minimum key size
of 1024 bits or higher;
2048
bits or higher is preferred. Click
OK
.
Close the Certificate Templates console and return to the Certificate Authority console.
In the console tree of the Certification Authority console, right-click
Certificate Templates
, click
New
, and then click
Certificate Template to Issue
.
In the Enable Certificate Templates dialog box click the new certificate template that you just configured and then click
OK
.
return to top
Obtain a certificate for IIS using the certificate template
On the IIS server, open an MMC console. To do so, you can open a command prompt, the run dialog box, or Windows PowerShell, type
mmc
and then press ENTER.
In the new MMC console (Console1) click
File
, and then click
Add/Remove Snap-in
.
From the list of
Available snap-ins
, select
Certificates
and then click
Add
.
Select
Computer account
and then click
Next
.
In
Select Computer
the
Local computer
is selected by default. Click
Finish
and then click
OK
.
Expand
Certificates (Local Computer)
and then right-click
Personal
. Click
All Tasks
, and then click
Request New Certificate
.
On the
Certificate Enrollment
wizard, click
Next
.
On the
Select Certificate Enrollment Policy
page, ensure that
Active Directory Enrollment Policy
is selected and then click
Next
.
On Certificate Enrollment, click
Enroll
. Click
Finish
.
return to top
Configure HTTPS on the Default Web Site
On the IIS server, open the Internet Information Services (IIS) Manager.
Expand the server and Sites nodes until you can see Default Web Site.
Click
Default Web Site
.
On the
Actions
pane, click
Bindings
.
In
Site Bindings
, click
Add
.
In
Add Site Binding
, set
Type
to
https
.
Set
SSL certificate
to the certificate that you issued to the server. You can confirm you have the correct certificate by clicking
View
. The certificate's purpose should be
Ensures the identity of a remote computer
. To further verify, you can click the
Details
tab of the certificate. Select
Enhanced Key Usage
and ensure that it reads
Server Authentication (1.3.6.1.5.5.7.3.1)
. Click
OK
.
On
Add Site Binding
, click
OK
. On Site Bindings, click
Close
.
return to top
Additional Resources
See the following resources for more information on using CA Web Enrollment pages and HTTPS on Internet Information Server
How to Set Up SSL on IIS7
How to implement SSL in IIS
(KB 299875)
return to top