Use the DigiCert® Certificate Utility for Windows to create a CSR and install your SSL certificate
on your Windows Server 2016
These instructions explain how to use the DigiCert® Certificate Utility for Windows and IIS 10 to create your CSR, to install your SSL certificate, and to configure your Windows Server 2016 to use the certificate.
DigiCert® Certificate Utility for WindowsFor a simpler way to create your CSRs (Certificate Signing Requests) and install and manage your SSL certificates, we recommend that you use the DigiCert Certificate Utility. For more information about our utility, see DigiCert® Certificate Utility for Windows.
Use the instructions on this page to create your certificate signing request (CSR) and to install and configure your SSL certificate.
-
To create your certificate signing request (CSR), see Windows Server 2016: Creating Your CSR with the DigiCert Utility.
-
To install your SSL certificate, see Windows Server 2016: Using the DigiCert Utility & IIS 10 to Install and Configure Your SSL Certificate.
If you prefer not to use the DigiCert Utility or for some reason cannot use the utility, see IIS 10: Create CSR and Install SSL Certificate.
1. Windows Server 2016: Creating Your CSR with the DigiCert Utility
The DigiCert® Certificate Utility for Windows streamlines the CSR creation process enabling you to generate the CSR with just one click.
How to Create Your CSR with the DigiCert Utility
-
On your Windows Server 2016, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe).
-
Run the DigiCert® Certificate Utility for Windows.
Double-click DigiCertUtil.
-
In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), and then, click Create CSR.
-
On the Create CSR page, enter the following information:
Certificate Type: Select SSL. Common Name: Enter the fully qualified domain name (e.g., www.example.com). You may also enter the IP address. Subject Alternative Names: If you are requesting a Multi-Domain (SAN) Certificate, enter any SANs that you want to include. (e.g., www.example.com, www.example2.com, and www.example3.net) Organization: Enter your company's legally registered name (e.g., YourCompany, Inc.). Department: (Optional) Enter the department within your organization that you want to appear on the SSL certificate. City: Enter the city where your company is legally located. State: In the drop-down list, select the state where your company is legally located. If your company is located outside the USA, you can enter the applicable name in the box. Country: In the drop-down list, select the country where your company is legally located. Key Size: In the drop-down list, select 2048. Provider: In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider, unless you have a specific cryptographic provider. -
Click Generate:
-
On DigiCert Certificate Utility for Windows© - Create CSR page, do one of the following, and then, click Close:
Click Copy CSR Copies the certificate contents to the clipboard. If you use this option, we recommend that you paste the CSR into a tool such as Notepad. If you forget and copy some other item, you still have access to the CSR, and don't have to go back and recreate it. Click Save to File Saves the CSR as a .txt file to the Windows Server 2016. We recommend that you use this option. -
Use a text editor (such as Notepad) to open the file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it into the DigiCert order form.
-
After you receive your SSL certificate from DigiCert, you can use the DigiCert Certificate Utility to install it.
2. Windows Server 2016: Using the DigiCert Utility and IIS 10 to Install Your SSL Certificate
If you have not yet created your CSR with the DigiCert Certificate Utility and ordered your SSL certificate, see Windows Server 2016: Creating Your CSR with the DigiCert Utility.
After DigiCert validates your order and has issues your SSL certificate, you can use the DigiCert® Certificate Utility for Windows, to install the certificate file to your Windows Server 2016. Then you can use IIS 10 to configure the server to use it.
To install your SSL certificate on your Windows Server 2016, complete the steps below.
-
Import your SSL certificate to your Windows Server 2016 using the DigiCert® Certificate Utility for Windows.
How to Import Your SSL Certificate Using the DigiCert Certificate Utility
-
Configure your Windows Server 2016 to use the SSL certificate using IIS 10.
How to Configure the Server to Use Your SSL Certificate Using IIS 10
i. How to Import Your SSL Certificate Using the DigiCert Certificate Utility
After DigiCert issues your SSL certificate, you can use the DigiCert Certificate Utility, to install the certificate file to your Windows Server 2016.
Microsoft Certificate Store Note:
When you use the DigiCert® Certificate Utility for Windows to import/install your SSL certificates on your Windows Server 2016, it will place the certificates in the Personal store instead of the Web Hosting store. If you have less then 20 to 30 certificates, this will not be a problem.
However, if you are managing 30 or more certificates you will need to move your certificates to the Web Hosting store, which was designed to scale to a greater number of certificates. See Move a Certificate from the Personal Store to the Web Hosting Certificate Store.
Importing an SSL Certificate to Your Windows Server 2016
-
On the Windows Server 2016, where you created the CSR, open the ZIP file containing your SSL certificate and save the contents of the file (e.g., your_domain_com.cer) to the folder where you saved the DigiCert Certificate Utility executable (DigiCertUtil.exe).
-
Run the DigiCert Certificate Utility.
Double-click DigiCertUtil.
-
In the DigiCert Certificate Utility for Windows©, click SSL (gold lock) and then, click Import.
-
In the Certificate Import wizard, click Browse to browse to the .cer certificate file (e.g., your_domain_com.cer) that DigiCert sent you, select the file, click Open, and then, click Next.
-
In the Enter a new friendly name or you can accept the default box, type a friendly name for the certificate.
Note: The friendly name is not part of the certificate; instead, it is used to identify the certificate.
We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-digicert-(expiration date). This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
-
To import the SSL certificate to your server, click Finish.
-
You should receive a message that the certificate was successfully imported. You should now see your SSL certificate in the DigiCert Certificate Utility for Windows©
-
(Optional) Repeat the process as needed for each additional SSL certificate.
-
Now that you've successfully installed your SSL certificate, you need to assign the certificate to the appropriate site.
Note: If you are managing 30 or more certificates you will need to move your certificates to the Web Hosting store, which was designed to scale to a greater number of certificates. See Move a Certificate from the Personal Store to the Web Hosting Certificate Store
ii. How to Configure the Server to Use Your SSL Certificate Using IIS 10
After importing your SSL certificate to your Windows Server 2016, you must configure IIS to use the newly imported certificate to secure your website.
(Single Certificate) How to configure the server to use your SSL certificate
-
On the Windows Server 2016 where you imported your SSL certificate with the DigiCert Certificate Utility, open Internet Information Services (IIS) Manager.
In the Windows start menu, type Internet Information Services (IIS) Manager and open it.
-
In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to use the SSL certificate to secure.
-
On the website Home page, in the Actions menu (right pane), under Edit Site, click the Bindings… link.
-
In the Site Bindings window, click Add.
-
In the Add Site Bindings window, do the following and then click OK:
Type: In the drop-down list, select https. IP address: In the drop-down list, select the IP address of the site or select All Unassigned. Port: Type port 443. The port over which traffic is secured by SSL is port 443. SSL certificate: In the drop-down list, select your new SSL certificate (e.g., yourdomain.com). -
Your SSL certificate is now installed, and the website configured to accept secure connections.
(Multiple Certificates) How to install your SSL certificates and configure the server to use them using SNI
If you have not imported all your SSL certificates, see How to Import Your SSL Certificate Using the DigiCert Certificate Utility.
This instruction explains how to assign multiple SSL certificates using SNI. The process is split into two parts as follows:
Assign the First SSL Certificate
Do this first set of instructions only once, for the first SSL certificate.
-
On the Windows Server 2016 where you imported your SSL certificates with the DigiCert Certificate Utility, open Internet Information Services (IIS) Manager.
In the Windows start menu, type Internet Information Services (IIS) Manager and open it.
-
In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to use the SSL certificate to secure.
-
On the website Home page, in the Actions menu (right pane), under Edit Site, click the Bindings… link.
-
In the Site Bindings window, click Add.
-
In the Add Site Bindings window, do the following and then click OK:
Type: In the drop-down list, select https. IP address: In the drop-down list, select the IP address of the site or select All Unassigned. Port: Type port 443. The port over which traffic is secure by SSL is port 443. SSL certificate: In the drop-down list, select your new SSL certificate (e.g., yourdomain.com). -
Your first SSL certificate is now assigned, and the website configured to accept secure connections.
Assign All Additional SSL Certificates
To assign each additional SSL certificate, repeat the steps below, as needed.
-
In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to use the SSL certificate to secure.
-
On the website Home page, in the Actions menu (right pane), under Edit Site, click the Bindings… link.
-
In the Site Bindings window, click Add.
-
In the Add Site Bindings window, do the following and then click OK:
Type: In the drop-down list, select https. IP address: In the drop-down list, select the IP address of the site or select All Unassigned. Port: Type port 443. The port over which traffic is secure by SSL is port 443. Host name: Type the host name that you want to secure. Require Server After you enter the host name, check this box. Name Indication: This is required for all additional certificates/sites, after you've installed the first certificate and secured the primary site. SSL certificate: In the drop-down list, select an additional SSL certificate (e.g., yourdomain2.com). -
You have successfully assigned another SSL certificate and configured the website to accept secure connections.
Test Installation
If your website is publicly accessible, our DigiCert® SSL Installation Diagnostic Tool can help you diagnose common problems.