IIS SSL/TLS Certificate Setup – Internal MS CA

Simplistic, works for me when adding a certificate for WSUS.

Create Certificate Request:

From the IIS server needing the new certificate, open IIS Manager:

- In the left window pane, select the server.
- In the center window pane, select "Server Certificates".
- In the right window pane, select "Create Domain Certificate Request".
- Enter the information in the pop up window.
- Cryptographic Service Provider:
	"Microsoft RSA SChannel Cryptographic Provider"
- Bit Length:
	2048

This should submit a request to the domain CA and automatically return a certificate. This will of course depend on how your CA is setup for approving similar requests.

Bind to the new certificate to the web site:

- In the left window pane, select the web site 
	Possibly "Default Web Site", or maybe not.
- In the right window pane, select "Bindings…".
- In the "Site Bindings:" pop up, choose add or edit.  I'm doing edit here.
- Select "HTTPS" and click the "Edit" button.
- Select the new certificate.
- In the right window pane, restart the service.

The new certificate expiration date can be viewed in “Server Certificates” (see step one above) .

Microsoft PKI – Change the Issuing Server’s Certificate Validity Period

The following are assumed in this scenario:

 - The root server is a standalone (off the domain) root CA server
 - The issuing server is an enterprise (on the domain) issuing CA server

By default, the issuing CA server certificate is good for one year. This is controlled by the root CA and is set to one year by default.

This can be verified on the root CA server:

Open PowerShell as admin:
     Certutil -getreg CA\ValidityPeriodUnits
     Certutil -getreg CA\ValidityPeriod

To change the issuing server’s certificate validity period to 5 years:

On the root standalone CA:
	Open PowerShell as admin
		Certutil -setreg CA\ValidityPeriodUnits 5

If ValidityPeriod is set to years already , no need to do the next command, but just in case:

Certutil -setreg CA\ValidityPeriod "Years"

For good measure:

restart-service certsvc

Verify the settings are what you want them to be:

Certutil -getreg CA\ValidityPeriodUnits
Certutil -getreg CA\ValidityPeriod

When you renew the enterprise issuing server’s certificate, it should be good for 5 years. Verify this by looking at the certificate properties.

IIS SSL/TLS Certificate Setup – External CA

Simplistic, works for me, in my given scenario.

Create Certificate Request:

From the IIS server needing the new certificate, open IIS Manager:

- In the left window pane, select the server.
- In the center window pane, select "Server Certificates".
- In the right window pane, select "Create Certificate Request".
- Enter the information in the pop up window.
- Cryptographic Service Provider:
	"Microsoft RSA SChannel Cryptographic Provider"
- Bit Length:
	2048
- Provide a path and a name for the request certificate:
	C:\Users\Me\Desktop\csr.txt

The copy/paste the csr.txt text in the request form in the certificate authority’s web interface, or submit the request file to the certificate authority.

Install the SSL Certificate:

Once the certificate authority has provided you with the new certificate, log back onto the IIS server that you created the request on and open IIS Manager:

- In the left window pane, select the server.
- In the center window pane, select "Server Certificates".
- In the right window pane, select "Complete Certificate Request…".
- In the pop up window:
	Select the new certificate.
	Add a friendly name to help ID it.
	Select "Web Hosting".

Bind to the new certificate to the web site:

- In the left window pane, select the web site 
	Possibly "Default Web Site", or maybe not.
- In the right window pane, select "Bindings…".
- In the "Site Bindings:" pop up, choose add or edit.  I'm doing edit here.
- Select "HTTPS" and click the "Edit" button.
- Select the new certificate.
- In the right window pane, restart the service.

Use a web browser to check the site and the new certificate expiration date.