SSL SERVER CERTIFICATE ORDER - DETAILED INSTRUCTIONS

MICROSOFT IIS AND AZURE


IIS 5

STEP 1 CREATING THE CERTIFICATE REQUEST (CSR) WITH IIS 5

  1. Go to the Administration Utilities menu and select the Internet Services Manager (IIS)
  2. Click on the page to be protected with the right-hand mouse button and select Properties
  3. Select the Directory Security tab
  4. Click on the Server Certificate button in the Secure Communication section
  5. Select Create a new certificate
  6. Select Prepare the request now, but send it later
  7. Fill in following information on Distinguished Name Properties window:
    1. Common Name: Fully qualified DNS-name or an IP-address
    2. Organization: Organizations name has to be exactly same as the name visible in Y-tunnus (Y-code/Finnish Business Identity Code/VAT Number database
    3. Organizational Unit: Can be left empty
    4. City/locality: Mandatory field
    5. State/province: Mandatory field
    6. Country/region: Must be a two-letter country code
  8. Finally, give a name to your certificate request, for example MyCertReq.txt
  9. Lastly, check the information you have given and exit by clicking on the Finish button
  10. Open the certificate request you made (MyCertReq.txt) with the Notepad program and copy the content to the order page . Do not copy spaces or blank rows!

  11. Multidomain certificate request instruction

STEP 2 INSTALLING THE CERTIFICATE WITH IIS 5

  1. Telia CA sends a link to the customer from where the customer can retrieve the actual certificate
  2. Follow the instructions on the page to save the certificate on your computer e.g. under the name MyCert.cer
  3. Save TeliaSonera Intermediate CA p7b-file to server under name TS_intermediate.p7b
  4. Open Microsoft Management Console (MMC) Start -> Run -> type "mmc" and click "ok" or press enter
  5. Open add/remove snap-in File -> Add/Remove Snap-in
  6. Open Certificates Snap-in by clicking 'Add' and clicking 'Certificates'
  7. Select 'Computer Account' and click 'Next'
  8. Select 'Local Computer' and click 'Finish'
  9. Close 'Add Standalone Snap-in' windows and click 'OK'
  10. Expand the Certicate view by clicking plus (+) mark
  11. Right-click on 'Intermediate Certification Authorities', select 'All Tasks', then select 'Import'.
  12. Locate the intermadiate Certificate (TS_intermediate.p7b) and click Next. When the wizard is completed, click Finish.
  13. Go to the Administration Utilities menu and select IIS on it
  14. Select the page to be protected, click the right-hand mouse button, and select Properties
  15. Click on the Directory Security tab
  16. Click on the Server Certificate button in the Secure Communication section
  17. Select Process the Pending Request and Install the Certificate
  18. Retrieve the certificate you saved (MyCert.cer)
  19. Read the summary to be sure you selected the correct certificate
  20. Check that certificate chain is correct, open Certificate path tab
  21. To use the server certificate, you must restart the IIS service
  22. If you are using Microsoft ISA/TMG/UAG services, restart the server
  23. Check the operation of the protected pages by using the SSL port (default 443)

BACKUP YOUR CERTIFICATE WITH IIS 5

  1. Go to the Administration Utilities menu and select Internet Services Manager (IIS)
  2. Click on the page to be protected with the right-hand mouse button and select Properties
  3. Select the Directory Security tab and click on View Certificate. This opens the certificate
  4. Go to the Details tab and click on Copy to File
  5. This opens the Certificate export wizard; to move on in the back-up copying, click on Next
  6. You can take a back-up copy of the certificate either with or without the secret key. Select Yes to take a back-up copy of the key, also, and No if you do not want the secret key
  7. Select the format where the back-up copy is taken. The option "select default" on the page is enough. NOTE! Select "include all certificates in the certificate path if possible"
  8. If you chose to copy the secret key as well, you need to set a password for your back-up copy.
  9. Select a directory where the back-up copy is saved and name your back-up copy (for example, server name www.server.fi)
  10. Click on Finish and OK. The back-up copy of the certificate has now been successfully taken
  11. Copy file example to CD
  12. Keep CD on the safe place

RESTORE A BACKUP WITH IIS 5

  1. Go to the Administration Utilities menu and select IIS on it
  2. Select the page to be protected, click on the right-hand mouse button and select Properties
  3. Select the Directory Security tab
  4. Click on the Server Certificate button in the Secure Communication section
  5. Install a certificate from a .pfx file
  6. Retrieve the back-up copy of the server certificate with the Browse button and select "mark this key as exportable"
  7. Give the password that protects the back-up copy
  8. Give the SSL port (port 443 is used as default)
  9. Check the information of the certificate and click on Next
  10. Click on Finish
  11. The certificate has been restored from the back-up copy

IIS 7

STEP 1 CREATE THE CERTIFICATE REQUEST WITH IIS 7

  1. Press Start button and open menu Administrative Tools. Choose Internet Information Services from the menu
  2. Click on the server name
  3. Double-click icon Server Certificates which is located in Security section of the middle-menu
  4. Choose from Actions menu on the right link CreateCertificate Request
  5. Fill in following information on Distinguished Name Properties window:
    1. Common Name: Fully qualified DNS-name or an IP-address
    2. Organization: Organizations name has to be exactly same as the name visible in Y-tunnus (Y-code/Finnish Business Identity Code/VAT Number database
    3. Organizational Unit: Can be left empty
    4. City/locality: Mandatory field
    5. State/province: Mandatory field
    6. Country/region: Must be a two-letter country code
  6. Use default values Microsoft RSA SChannel and 2048 on page Cryptographic Service Provider Properties.
  7. In File name page, insert a name for your CSR-file for example MyCertReq.txt
  8. Lastly, check the information you have given and exit by clicking on the Finish button
  9. Open the certificate request you made (MyCertReq.txt) with the Notepad program and copy the content to the order page . Do not copy spaces or blank rows!

STEP 2 INSTALLING THE CERTIFICATE WITH IIS 7

  1. TeliaSonera CA sends a link to the customer from where the customer can retrieve the actual certificate
  2. Follow the instructions on the page to save the certificate on your computer e.g. under the name MyCert.cer
  3. Save TeliaSonera Intermadiate CA p7b-file to server from here under the name TS_intermediate.p7b
  4. Open Microsoft Management Console (MMC) Start -> Run -> type "mmc" and click "ok" or press enter
  5. Open add/remove snap-in File -> Add/Remove Snap-in
  6. Open Certificates Snap-in by clicking 'Add' and clicking 'Certificates'
  7. Select 'Computer Account' and click 'Next'
  8. Select 'Local Computer' and click 'Finish'
  9. Close 'Add Standalone Snap-in' windows and click 'OK'
  10. Expand the Certicate view by clicking plus (+) mark
  11. Right-click on 'Intermediate Certification Authorities', select 'All Tasks', then select 'Import'.
  12. Locate the intermadiate Certificate (TS_intermediate.p7b) and click Next. When the wizard is completed, click Finish.
  13. Go to the Administration Utilities menu and select IIS on it
  14. Select the page to be protected, click the right-hand mouse button, and select Properties
  15. Click on the Directory Security tab
  16. Click on the Server Certificate button in the Secure Communication section
  17. Select Process the Pending Request and Install the Certificate
  18. Retrieve the certificate you saved (MyCert.cer)
  19. Read the summary to be sure you selected the correct certificate
  20. Check that certificate chain is correct, open Certificate path tab
  21. In IIS, Select your Web site under Sites on the left-hand menu to display your site's Actions menu (right side of the page). Select Bindings
  22. Select Add from the Site Bindings window. If Type https is already listed, select it form the list and click Edit. The Add Site Binding window appears
  23. In the Add Site Binding window, set Type to https, IP address to All Unassigned, Port to 443. Specify the correct SSL certificate. Click OK.
  24. The Site Bindings window appears, showing the newly added binding. Click Close.
  25. Restart II7 on the left-hand menu
  26. If you are using Microsoft ISA/TMG/UAG services, restart the server
  27. Check the operation of the protected pages by using the SSL port (default 443)

BACKUP WITH IIS 7

  1. Press Start button and open menu Administrative Tools. Choose Internet Information Services from the menu
  2. Click on the server name
  3. Double-click icon Server Certificates which is located in Security section of the middle-menu
  4. Choose from Actions menu on the right link Export
  5. On Export Certificate window choose location where the store certificate back-up file and give a password for certificate back-file and click OK
  6. Store IIS 7 certificate back-up file carefully

RESTORE A BACKUP WITH IIS 7

  1. Press Start button and open menu Administrative Tools. Choose Internet Information Services from the menu
  2. Click on the server name
  3. Double-click icon Server Certificates which is located in Server Certificates section of the middle-menu
  4. Choose from Actions menu on the right link Import
  5. On Import Certificate window choose location where the stored certificate back-up file is and give a password for certificate back-file and click OK
  6. Certificate is restored from back-up file


INTERMEDIATE CERTIFICATE INSTALLATION

    6
  1. Open Microsoft Management Console (MMC) Start -> Run -> type "mmc" and click "ok" or press enter
  2. Open add/remove snap-in File -> Add/Remove Snap-in
  3. Open Certificates Snap-in by clicking 'Add' and clicking 'Certificates'
  4. Select 'Computer Account' and click 'Next'
  5. Select 'Local Computer' and click 'Finish'
  6. Close 'Add Standalone Snap-in' windows and click 'OK'
  7. Expand the Certicate view by clicking plus (+) mark
  8. Right-click on 'Intermediate Certification Authorities', select 'All Tasks', then select 'Import'.
  9. Locate the intermadiate Certificate (TS_intermediate.p7b) and click Next. When the wizard is completed, click Finish.


CERTIFICATE INSTALLATION TO WINDOWS SERVER 2012

  1. Save the certificate you received from Telia as a .crt file. Beware of any extraneous space or linefeed characters generated during the copying process. Upload the file to your server.
  2. Choose Tools at Internet Information (IIS) Manager in Server Manager.
  3. Choose the name of your server in IIS Manager.
  4. Click Server Certificates icon.
  5. Choose Complete Certificate Request from the panel on the right side.
  6. Input the path to the certificate file, set a friendly name for the certificate and pick a certificate store for the certificate. At the end click OK.
  7. Leave the IIS open and click with right button on the site which is going to use this certificate.
  8. Choose Edit Bindings.
  9. At Edit Site Bindings set the binding type as https, pick an IP address for the site and select your certificate using the friendly name. Finally click OK.


AZURE

In addition to Microsoft Azure subscription, you will need a computer with OpenSSL or Microsoft IIS installed for this procedure to succeed. You can also use this guide to export a certificate into another instance of IIS.

PHASE 1. GENERATION OF A CSR WITH OPENSSL OR IIS

  1. Generate a CSR using this OpenSSL command: openssl req -newkey rsa:2048 -nodes
  2. Order your certificate using Telia ordering service.

PHASE 2A. GENERATE A PFX FILE WITH OPENSLL

  1. Create two files using your certificate delivery email: a) a server certificate file using the top code block in the message and b) a root certificate bunch using three root certificate blocks on the bottom of the message.
  2. Generate a pfx file from the private key, the certificate file and the root certificate bunch file with this OpenSSL command: openssl pkcs12 -export -out pfxfile.pfx -inkey yourprivatekey.pem -in yourservercert.cer -certfile teliarootbunch.cer.

PHASE 2B. GENERATE A PFX FILE WITH IIS

  1. Create two files from the certificate delivery message similarly as with OpenSSL. Import your certificate and the root certificate bunch into IIS in the manner described above in IIS section. Begin the generation of your pfx file by choosing Certificates snap-in, select the certificate you just imported and click All Tasks/Export in Action menu.
  2. Make following choices in Certificate Export Wizard: Yes, export the private key / Include all certificates in the certification path if possible / Export all extended properties. Enter a password to protect your pfx file and choose a filename for it.

PHASE 3. EXAMINING YOUR PFX FILE

  1. You can inspect the contents of your pfx file with command certutil.exe -dump tiedoto.pfx. The pfx file should contain your server certificate with status "Encryption test passed" and the chain of Telia Root Certificates named TeliaSonera Server CA v2, TeliaSonera Root CA v1 and Sonera Class 2 CA. Naturally the root certificates do not have their private keys included.

PHASE 4. IMPORT YOUR PFX FILE INTO AZURE

  1. Import your pfx file into Azure by choosing SSL Certificates from the left side menu and click Upload Certificate. Select your certificate icon and enter the pfx password.
  2. Your certificate is now visible in the certificate list. Bind the certificate to your web site using Add binding.

    MICROSOFT PAGES