Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE
SOLVED

Install ssl certificate on windows server 2012 R2

Copper Contributor

I would install a SSL certificate on Windows Server 2012 R2.

I received from SSL/provider 4 files:

  1. mydomain.company.it.csr
  2. mydomain.company.it.key
  3. mydomain_company_it_cert.cer
  4. mydomain_company_it_interm.cer

In IIS i have installed "mydomain_company_it_cert.cer" choosing "Complete Certificate Request".

In this way i can't see certificate from dropdown list when i am trying to binding in IIS.

I have tried to run "certutil -repairstore my xxxxxxxxxxx" but i am constantly prompted for smart card.

This article it doesn't help much , the hot-fix has been removed.

I read this thread but i don't know if have to generated .CSR again at first point of reply.

Any thoughts on how to bypass the smart card and get the repair to complete are appreciated

25 Replies
1. The Certificate Signing Request
2. The private key
3. The Root CA for the certificate I guess?
4. The intermediate CA for the certificate

What did you give to the SSL Provider? Only the request I presume. did you create the csr yourself using IIS? If so, then I don't know where you got the key file from? Usually the SSL provider gives you a bundle back with the root and intermediate and a cer file which you can use to complete the request (You should see the certificate in the Computer/Personal certificate store on that server

All the files were provided to me by the person who handled the request (an administrative).
I didn't create the .csr file with IIS.

In IIS as written i have installed "mydomain_company_it_cert.cer" choosing "Complete Certificate Request".
Yes, i can see the certificate in the Computer/Personal certificate store (with name mydomain.company.it) but if i double click on it, icon does not contain the "key image".
The certificate has not a private key.

Thanks for your time.
Complete certificate request is something you can do only when you created the request in IIS yourself. Since someone else did that for you, they have all the data

You need a pfx file from that person, without it you will never have a certificate in your store to use within IIS
So in my situation the only way to install this certificate is to have that PFX file?
best response confirmed by Frankie1969 (Copper Contributor)
Solution
Yes, importing a pfx file gives you a certificate with the private key. (The key sign will be shown then in the certificate store) Perhaps the person who gave you the files can convert his files into a a pfx file using openssl tooling.
Obtained .pfx file
First i presume to delete previous certifcate from my certifcate store.
And then where i have to import the .pfx file ?
Thanks.

@Frankie1969 

 

You can delete it because it has no key in it. Import the PFX from the store like this and follow the wizard.

 

Harm_Veenstra_0-1642248912650.png

 

Or double-click it in explorer and follow the wizard from there

Harm_Veenstra_1-1642248977053.png

 

Thanks. Last step.
I need to define URL rewrite rules or is enough binding site with SSL certificate ?
Strange thing: I've done binding with SSL certificate but now
With Edge the site has not reachable with domain_name.xxx.it but only with ip address (we've IP Public) and with Firefox has reachable with domain_name.xxx.it but site is not secure (connection is not secure).

In Edge in the address bar i enter "domain_name.xxx.it" and after 30/40 seconds receives "page  not reachable" and in the address bar i see https://domain_name.xxx.it//

If enter ip address, the page has shown but site not secure.


In Firefox enter domain_name.xxx.it page has shown but site not secure.

@Frankie1969 

 

What are the certificate details? Is it a certificate which has been created using an internal Certificate Authority and are you missing the intermediate and root certificates in your store?

 

Harm_Veenstra_1-1642265495352.png

 

Harm_Veenstra_2-1642265514996.png

 

 

Harm_Veenstra_0-1642265472797.png

 

@Harm_Veenstra 

Thanks. certificate details: 
Immagine.png
In my Personal Store i've only this certificate.

I call in the browser mydomain.company.it
Edge replies me "Unable to reach this page"
Firefox shows me the page but "Connection is not secure".

At the beginnig i've received 4 files from provider (you can see first message) but after i received .pfx file and installed that.
I don't know if i need to use URL rewrite module in IIS.
My first problem is that Edge doesn't show the page while Firefox and Chrome show it but reporting that the site is not safe.
Could the fact that Firefox and Chrome show the unsafe page could be that some resource is called up in the MasterPage with http: // ... and not https: //?

 

 

Ok, certificate is from a public CA so that shouldn't be the problem. If you have a website running on IIS and it's the only one plus you did the binding... Then an URL Rewrite shouldn't be needed. And yes, everything should be https or your browser will see that it switched from https to http and will say not safe.

URL Rewrite is nice if people just type the url and the browser starts connecting with http, it will be redirected to https.
Do you have an idea why Edge won't open it? Is very strange
Edge is more restrictive I guess? I have no idea what website you're running and how it works internally :)
Just for news: I changed this line in the masterpage
from <html xmlns = "http://www.w3.org/1999/xhtml">
a <html xmlns = "https://www.w3.org/1999/xhtml">

Now Edge opens the site, always in non-secure mode but at least opens it.
You're getting there! But I guess your original question is answered now?
Yes and No. It's true certificate is installed but browser (Edge,Firefox,Chrome) tells that certificate is not installed. But i believe that orginal question is answered and now it's another problem.
In your opinion if browser tells "Certificate is not installed" the reason may be also some link "http//...." in aspx page or is sure that certified is not installed ?

If you access the page using https, it should not give you errors. Binding is done on the site using the installed certificate and port 443? 

@Frankie1969 
I've replaced the Default.aspx (starting page) page with a "poor code" with only https external references.
Same situation: 
if i enter in address bar mydomain.company.it page has shown but site is not secure.
if i enter in address bar https://mydomain.company.it/default.aspx page has not shown.

Whoever lasts wins it.

 

 

<%@ Page Language="vb" AutoEventWireup="false" CodeBehind="Default.aspx.vb" Inherits="ApplicationName.Default" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
<div id="body">
    <h3>We suggest the following:</h3>
    <ol class="round">
        <li class="one">
            <h5>Getting Started</h5>
            ASP.NET Web Forms lets you build dynamic websites using a familiar drag-and-drop, event-driven model.
            A design surface and hundreds of controls and components let you rapidly build sophisticated, powerful UI-driven sites with data access.
            <a href="https://go.microsoft.com/fwlink/?LinkId=245146">Learn more…</a>
        </li>
        <li class="two">
            <h5>Add NuGet packages and jump-start your coding</h5>
            NuGet makes it easy to install and update free libraries and tools.
            <a href="https://go.microsoft.com/fwlink/?LinkId=245147">Learn more…</a>
        </li>
        <li class="three">
            <h5>Find Web Hosting</h5>
            You can easily find a web hosting company that offers the right mix of features and price for your applications.
            <a href="https://go.microsoft.com/fwlink/?LinkId=245143">Learn more…</a>
        </li>
    </ol>
    </div>
    </div>
    </form>
</body>
</html>

 

 

if i enter in address bar https://mydomain.company.it/default.aspx page has not shown.

 

if i enter in address bar http://mydomain.company.it/default.aspx page HAS shown.


Yes 443 port.

1 best response

Accepted Solutions
best response confirmed by Frankie1969 (Copper Contributor)
Solution
Yes, importing a pfx file gives you a certificate with the private key. (The key sign will be shown then in the certificate store) Perhaps the person who gave you the files can convert his files into a a pfx file using openssl tooling.

View solution in original post