Renewing Certificates-Automatically 1

1 2 3 4 5 6 7 8

Table of Contents

Table of Contents..........................................................................................1 Purpose........................................................................................................1 Overview......................................................................................................2 Pre-Creation Steps.........................................................................................2 4.1 Certificate Request Authorization...............................................................2 Generate Certificate.......................................................................................2 5.1 Create Certificate.....................................................................................2 5.2 Submit Request and Download Certificate...................................................6 Process Certificate Request ............................................................................6 6.1 Process Request.......................................................................................6 Install in IIS and Export.................................................................................8 7.1 Export PFX using IIS MMC.........................................................................8 Conclusion..................................................................................................10

Purpose

The purpose of this document is to describe in detail the new certificate request creation functionality being provided on the http://ssladmin/ssladmin site. Please be aware that as of 8-12-2010 all certificates issued through the SSLAdmin site have a bit strength of 2048 and are valid for 24 months.

Overview

There are now several different ways in which create and submit for a certificate request on the http://ssladmin/ssladmin. Create the certificate request text file locally using IIS. Create the certificate request text file using certreq.exe Create the request text file on the server where it is needed using IIS. Create the request and submit for the certificate using the new automated certificate request creation tool on http://ssladmin/ssladmin

The automated certificate creation tool will not work at this time for creating a certificate with sans with only site authorization approval for a single all across site authorization. For example: If you have site authorization for *.test.msn.com you can only request a certificate using the automated certificate request creation tool for *.test.msn.com.

4 4.1

Pre-Creation Steps Certificate Request Authorization

Ensure that you are authorized to request certificates from http://ssladmin/ssladmin for all required domain names. Be sure to include all subject alternative names if requesting a certificate containing them.

5 5.1

Generate Certificate Create Certificate

Vista and Windows Server 2008 R2 require the user to be an administrator to complete this task; therefore Internet Explorer must be run as an administrator.

Also, the Internet Explorer setting under Security labeled Initialize and script ActiveX controls not marked as safe for scripting must be set to Prompt for these steps to succeed. To do this: The first task is to change an ActiveX security setting in Internet Explorer:

1. In Internet Explorer, click Tools --> Internet Options --> Security tab --> Local intranet icon (shown circled below) --> Custom level button (shown circled below):

2. Scroll down to the ActiveX controls and plug-ins section, and locate the Initialize and script ActiveX controls not marked as safe for scripting setting (shown highlighted below). Click the Prompt radio button:

3. Click the OK button, then click Yes when asked if you're sure you want to change the settings for this zone. 4. Click OK to close the Internet Options window. 5. Restart Internet Explorer (using Run as Administrator).

Creating the request file:

Click Start Click Run Click All Programs Right click Internet Explorer Click Run as Administrator Browse to http://ssladmin/ssladmin

Click on Certificates, New Request Enter the alias of a distribution list and any additional aliases.

Note: Certificate requests now require that a group or team distribution list be included in the notifications list for a successful submission. list Click the Automated Certificate Creation link under Email Notification

In the left box is a list of all domain names for which you are approved to request certificates, on the top right a field for the Subject / Common Name for which you are requesting, and bottom right a field for any needed Subject Alternative Names

Click the desired domain in the left box to highlight it. to move that domain into the Subject / Common

Click the top button Name field

To add SANs to the request, highlight the names you need and click either the for multiple names.

3rd button for an individual name or the 4th button th th Use the 5 or 6 button to remove the names.

If you are creating a certificate with a SAN you need to always include the Subject name in the list of SANs. If you do not some sites will not work correctly.

Note: The above graphic shows a certificate request with SANs.

Click User Agreement to view it Click I agree to the User Agreement

Click Submit. The certificate download page is presented.

5.2

Submit Request and Download Certificate

Continuing from the above section, download either the DER or the Base64 file.

Note: The .P7B file does not work at this time when using the automated tool.

Save the file to a known location as the Subject / Common Name specified in section 5.1

6 6.1

Process Certificate Request Process Request

In order for the public and private keys to be associated you must install the just downloaded certificate into the local computer personal certificates store on the same machine. Failure to do so will result in a certificate with no private key.

To import the file into the Local Certificates store, conduct the following steps: Import the certificate file Click Start Click Run Type MMC Click OK Click File Click Add/Remove Snap In Click Certificates Click Add Click Computer Account Click Local Computer Click Finish Click Close Click OK Expand Certificates Expand Personal Right click Certificates Click All Tasks Click Import Click Next Browse to the certificate file saved in previous steps Click Next Verify details Click Next Double click the newly imported certificate Verify it has the private key Click OK

Export the certificate 1. Right click the certificate 2. Choose All Tasks 3. Choose Export 4. Click Next 5. Click Yes, Export the private key 6. Click Next 7. Click Include all certificates in the certification path if possible 8. Click Next 9. Leave Enable Strong Protection enabled 10. Enter password and confirm it 11. Click Next 12. Enter name (recommend using the established common name) and browse to a known location to save the file 13. Click Next 14. Verify details 15. Click Next 16. Click Finish 17. The exported certificate file may now be used as needed

Note: The extension must be changed to .txt to email the file. Exchange will block it if sent as a .PFX.

7 7.1

Install in IIS and Export Export PFX using IIS MMC

The certificate is now installed in the computer accounts personal store; however it must be manually assigned to a site in IIS for it to work. Follow the below instructions to export the PFX. Click Start Click Run Type inetmgr Click OK Expand Local Computer Expand Web Sites Right click Default web site Click Properties Click Directory Services Click Server Certificate Click Next Click Replace the current certificate Click Next Select the newly imported certificate Click Next Verify details Click Next Click Finish View the certificate to verify that it has a private key Expand Web Sites Right click the appropriate web site and select Properties Click Directory Security Click Server Certificate Click Next Click Assign an existing certificate Click Next.

o o

If Assign an existing certificate is not an available option, a certificate is already assigned to this site. Remove the certificate by clicking Remove the current certificate

o o o

Click Next Click Finish Restart this process from Expand Local Computer (see above)

Click the certificate Click Next Specify SSL port Click Next Review summary Click Next Click Finish Click View Certificate and ensure the correct cert was assigned Close the certificate dialog

Additional verification can be performed by clicking the Details tab, selecting the Subject field, and making sure that all required domains URLs are listed.

Click Server Certificate Click Next Click Export the current certificate to a .pfx file Specify path and filename Click Next Enter and confirm password Click Next Review summary Click Next Click Finish Close the IIS MMC

Conclusion

The PFX file is now suitable for deployment on front-end web servers. Remember to clean up any copies of the file on public shares. Also remember - to email the certificate anywhere you will need to change the extension of it to .txt and when it is received that person can change it back to .PFX or .DER.