IIS6

This document describes how to install a certificate on an IIS6 server.

Prerequisites

1. The certificate is in the Issued state.
2. You have obtained the certificate package.

Install intermediate CA certificates

Obtain the intermediate CA certificates for the server certificate

For compatibility between the server certificate and a client, install the intermediate CA certificates for the server certificate before installing the server certificate. There might be only one intermediate CA certificate for a server certificate, depending on the certificate provider.

To obtain the intermediate CA certificates:

1. Open the .pem file in Notepad, copy the content of each intermediate CA certificate (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) to a separate text file.
2. Save the text files as intermediate1.cer and intermediate2.cer.
   If there is only one intermediate CA certificate, you only need to copy and save the content of the certificate.

Install the intermediate CA certificates

1. Launch the Run command window and enter mmc to open the MMC console.
2. Choose File > Add/Remove Snap-in.
3. From the Available snap-ins list, choose Certificates and click Add.
4. In the Certificates snap-in dialog box, choose Computer account and click Next.
5. In the Select Computer dialog box, use the default settings, and click Finish.
6. In the Add or Remove Snap-ins dialog box, click OK.
7. In the left pane, choose Console Root > Certificates (Local Computer) > Intermediate Certification Authorities > Certificates.
8. Right-click a blank area of the window and choose All Tasks > Import.
9. Follow the Certificate Import Wizard to import the intermediate CA certificates intermediate1.cer and intermediate2.cer.

Delete EV root certificates from the server

Before installing a server certificate on an IIS server, identify whether the server has an EV root certificate. If yes, you must delete the EV root certificate. If you do not delete the EV root certificate, a client that uses an IE browser of versions earlier than IE7 cannot access the server.

To delete EV root certificates from the server:

• Choose Certificates > Trusted Root Certification Authorities > Certificates.
  Identify whether there is a certificate with the name VeriSign Class 3 Public Primary Certification Authority - G5 and a validity period from 2006-11-8 to 2036-7-17. If yes, delete the certificate.

• Choose Certificates > Third-Party Root Certification Authorities > Certificates.
  Identify whether there is a certificate with the name VeriSign Class 3 Public Primary Certification Authority - G5 and a validity period from 2006-11-27 to 2036-7-17. If yes, delete the certificate.

Install the server certificate

Obtain the server certificate

From the certificate issuing file, copy the content of the server certificate (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) to a text file and save it as server.cer.

Access the IIS console

1. Access the IIS console, right-click the website that requires a server certificate, and choose Properties.
2. Click the Directory Security tab and select Server Certificate.
3. In the IIS Certificate Wizard, choose Process the pending request and install the certificate and click Next.
4. Select the server certificate file saved previously and click Next.
5. Use the default HTTPS listening port 443 and click Finish.
6. Restart IIS, use HTTPS to access the website and verify that the certificate has been installed correctly.

Back up and restore a server certificate

After successfully installing a server certificate and completing configuration, back up the server certificate for further restoration.

Back up a server certificate

1. Access the IIS console and select the website on which you have installed the server certificate.
2. Right-click the website and choose Properties.
3. Click the Directory Security tab and select Server Certificate.
4. In the ISS Certificate Wizard, choose Export the current certificate to a .pfx file and click Next.
5. Specify a password to protect the certificate backup file and click Next.
6. Select a filename and location to save the certificate backup file and click Next.
7. Click Finish.

Restore a server certificate

1. Access the IIS console and select the website on which you have installed the server certificate.

2. Right-click the website and choose Properties.

3. Click the Directory Security tab and choose Server Certificate.

4. In the IIS Certificate Wizard, choose Import a certificate from a .pfx file and click Next.

5. Select the server certificate backup file and enter the password.
   If you select the Mark this key as exportable option, the private key can be exported from the server later. Otherwise, the private key cannot be exported from the server later. For server certificate key security, it is recommended that you keep the certificate backup file carefully and leave the option unselected.

6. Use the default HTTPS listening port 443 and click Finish.

7. Restart IIS, use HTTPS to access the website and verify that the certificate has been restored correctly.