How to install cer and p7b certificates to use in IIS?

ssl iis ssl-certificate
10,708

Windows has it's own tool for creating certificate requests. You can use the rather clumsy certreq or the much easier Management Console (Add Certificates plugin for the Computer account on Server 2008R2 and earlier, or run certlm.msc on Server 2012 and later).

In addition to the certificate returned from the CA, you also need the private key installed on the end-entity. In your case, that private key is within the keystore you used when running keytool and therefore inaccessible to Windows.

You have two options:

  • Import the new certificate into the keystore and export both it and the private key as a PKCS#12 (.pfx), which you can then import into Windows.
  • Use the Microsoft tool to generate a new request and have that signed by your CA. When you import the returned certificate into Windows it'll match up with its private key and you can use it in IIS.

If this is an internal CA, I'd go for the latter option. However, an external CA may charge you for another certificate, so you need to decide what is the most cost effective resolution.

If you decide to go with the former and import the newly signed certificate to your keystore, use something like:

keytool -importcert -file certificate.cer -keystore <server name>.keystore -alias <server name>

Then convert the keystore to a PKCS#12, which you can import to Windows, with:

keytool -importkeystore -srckeystore <server name>.keystore -destkeystore <server name>.pfx -srcstoretype JKS - deststoretype PKCS12 -deststorepass <new password>

You will need Java 8 or later to run the command above.

Any intermediate certificates should also be sent to you. That's probably what is in the p7b file (although you haven't stated it's contents). They should be imported into Windows' Intermediate Certification Authorities store, which you seem to have done already.

Once you have your *.pfx file import it into the server's Local Machine certificate store (don't waste time with the IIS MMC snap-in).

Start certlm.msc (W2K12 or later) or add the Certificates MMC snap-in configured for Computer accounts and Local computer (for W2K8R2 or earlier). Right click on the Personal store and import the certificate. If you receive any additional certs within the *.pfx file, move them to the Intermediate Certification Authorities store (for sub CA certs). Otherwise import them separately to that store.

Share:
10,708

Related videos on Youtube

Raja Dorji
Author by

Raja Dorji

IT Professional. New to competitive programming.

Updated on September 18, 2022

Comments

  • Raja Dorji
    Raja Dorji over 1 year

    I have generated the CSR request on our windows server ( we need to bind our application hosted on this server for Https) using below commands in keytool:

    Keytool -genkey -alias <server name> -keyalg RSA -keysize 2048 -keystore <server name>.keystore

keytool -certreq -keyalg RSA -alias <server name> -file certreq.csr -keystore <server name>.keystore

    After this I got one csr and and keystore files, which I forwarded for issuing SSL. The team gave me a zip files as the certificate ( containing one .cer and one .p7b file). Now I am not sure how to use these two files in IIS.

    What we have tried so far:

    • Imported the .cer in IIS using Complete Certificate Request option, but the certificate disappears from IIS when we check again.
    • Imported the .p7b in IIS using Complete Certificate Request option, but the certificate disappears in this case also.
    • Imported the .cer in certificate store in personal certificate, but it does not appear in IIS settings.
    • Imported the .p7b in certificate store in intermediate certificates, but it does not appear in IIS settings.
    • Imported the .cer in certificate store in personal certificate and .p7b file in intermediate certificates, but no certificate appears in IIS settings.
    • Tried to export the certificate in PFX format from certificate store, but while export, the pfx option is greyed out.
    • AndrePKI
      AndrePKI over 5 years
      Is this requesting certs from a public CA, or an internal CA? Maybe even ADCS? If public, look at the instructions of the provider. If internal, probably click the right options in IIS Manager.
  • Crypt32
    Crypt32 over 5 years
    This is correct answer. There is no need to use keytool on Windows. Regarding solutions, I would go with 2nd option. CAs often do not charge when you are re-requesting the certificate for the same subject, so this option should be ok.
  • Raja Dorji
    Raja Dorji over 5 years
    Hi @garethTheRed, thank you for your answer. I would like to try the first option first as the second option of getting another cert will take long time by the team. Can you please share any link or instructions to import certificate into keystore and then export as pfx. That would be really helpful.
  • Lex Li
    Lex Li over 5 years
    It is also common to use IIS Manager directly, digicert.com/csr-ssl-installation/iis-7.htm
  • Raja Dorji
    Raja Dorji over 5 years
    Hi @garethTheRed, after importing the cer in keystore, its showing privateKeyEntry and trustedCertEntry in keystore, and while trying to exporting to pfx, only privateKeyEntry is exported, not the newly added trustedCertEntry Problem importing entry for alias <servername>.mhf.mhc: java.security.KeyStoreExc eption: TrustedCertEntry not supported.
  • Raja Dorji
    Raja Dorji over 5 years
    Java version is 7. I found this docs.oracle.com/javase/7/docs/technotes/guides/security/jsse‌​/… seems like it does not support storing trustedcertentry in PFX. Could not find any workaround yet. Do you have any suggestions.
  • Raja Dorji
    Raja Dorji over 5 years
    Took the files on my local system with java 8 and exported pfx. Copied the pfx back to server. Now after importing pfx in IIS from Server Certificates->import, when i try to bind the same, gets error A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
  • Raja Dorji
    Raja Dorji over 5 years
    Also, in keystore content, after importing the cer in it, privatekey alias is hostname and trustedCertEntry is hostname.mhf.mhc. While importing the cer in keystroe i got 'certificate added' unlike mentioned here in first comment serverfault.com/questions/809695/… Can this be the cause of the issue?
  • Raja Dorji
    Raja Dorji over 5 years
    Thank you for bearing with me and all the help. Tried certlm.msc, and it adds two rows there in personal certificate and able to bind site in IIS with both. I can use site with https. Thanks a bunch. You been a saviour :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

CRYPT_E_NOT_FOUND when importing certificate
Is it possible to apply a SSL Certificate without CSR
Can you install multiple SSL certificates on IIS?
Page can't be displayed with IIS and SSL
Missing "Server Certificates" icon in IIS8
IIS7 add certificate to site from command line
How do I import certificate (.CER) in IIS
How to create self-signed SAN certificate in IIS?
Can you import a SSL certificate from another Windows IIS 7 server?
Why does Chrome complain about "obsolete cryptography"?