Skip to main content

SSL Certificate Replacement Guide - IIS6

Introduction

Replace the SSL certificate bound to the Default Web site of the SecureAuth IdP Appliance using either of the methods described below which follow the Microsoft standard SSL certificate request process. Review Microsoft TechCenter Article (IIS 6.0) for more information. Contact support@secureauth.com with questions.

  • Method 1 specifically details how to replace the SSL certificate on a production appliance that cannot have a temporary outage during the certificate signing process.

  • Method 2 specifically details how to replace the SSL certificate if a temporary outage is acceptable during the certificate signing process. Depending on the certificate vendor, the certificate signing process can take from 5 minutes up to several days.

Reference: Microsoft TechCenter Article (IIS 6.0)

Important Notice

Do not delete the existing SSL certificate that was shipped with the SecureAuth IdP Appliance. This certificate is used for the encrypted communications to the SecureAuth hosted/cloud services. It is bound to the Default Web site to enable SSL services required by SecureAuth IdP during the appliance installation process, but is not required to be bound to any Web site as long as a valid SSL certificate is bound to the Default Web site.

Methods

Method 1

This process assumes the SecureAuth IdP appliance is in production and will not be experiencing a temporary service outage. Removing the current SSL certificate bound to the default website will disable SecureAuth services until an SSL Certificate is again bound to the Default Web site.

Create a new temporary website on the SecureAuth appliance.

  1. Open a remote desktop session (RDP) to the SecureAuth Appliance. Log on with the local administrator account.

  2. Open IIS Manager from the Start Menu.

  3. Expand Web Sites.

  4. Select "Web Sites", right-click to select "New" and Web Site. The Web Site Creation Wizard starts. Click the "Next" button to continue.

  5. Enter "Temp" or some name for the "Description" of the new web site.

  6. Do not change the value in the "Enter the IP Address to use for this web site: (All Unassigned)

  7. Change the value in the "TCP port this Web site should use:" from 80 to 8080, or another unused port number.

  8. Leave blank the value for "Host header for this Web site" and click the "Next" button.

  9. Enter "C:\" for the "home directory path".

  10. Uncheck "Allow anonymous access to this Web site" and click the "Next" button.

  11. Accept the Default value "Read" on the "Web Site Access Permissions" dialog and click the "Next" button.

  12. Click the "Finish" button.

Create a new Certificate Request

  1. Right-click the newly created site and select "Properties".

  2. In the Secure Communications Section of the Directory Security Tab, select the "Server Certificate" button and then click the "Next" button.

  3. Select the radio button next to "Create a new Certificate" and click the "Next" button.

  4. The radio button next to "Prepare the request now, but send it later" will be selected (only option available). Click the "Next" button.

  5. Enter the FQDN of the certificate to be created, set the bit length, and click the "Next" button.

  6. Enter the Organization and Org Unit information, and then click the "Next" button.

  7. Enter the FQDN of the certificate as the Common Name and click the "Next" button.

  8. Enter the Geographical Information and click the "Next" button. (No abbreviations)

  9. The location and name of the certificate request file can be defined here. Click the "Next" button to select the default "C:\certreq.txt" or enter the preferred name and location.

  10. Review the Request File Summary, and then click the "Next" and "Finish" buttons to complete the request creation.

Process the request

  • Process the certificate request with the preferred certificate provider. Once the response/signed request has been received, copy the certificate blob back to the Appliance. It is recommended to place the signed response in the same location as the request file and make sure it has a .CER extension.

Process the signed response on the SecureAuth Appliance (Install the new Certificate).

  1. Open IIS Manager from the Start Menu.

  2. Expand Web Sites and Temporary Web Site created in the "Create a new temporary website on the SecureAuth appliance" section above.

  3. View the Properties of the Web Site.

  4. Select the Directory Security Tab.

  5. In the Secure Communications Section of the Directory Security Tab, click the "Server Certificate" button and then click the "Next" button.

  6. Select the radio button next to "Process the pending request and install the certificate" and click the "Next" button.

  7. Browse to the "response" file with the .CER extension and click the "Next" button.

  8. Define the port. SecureAuth recommends using an unused port such as 4433. Click the "Next" button.

  9. Review the Certificate summary and click the "Next" button.

  10. The certificate is now installed on the Temporary Web Site. Verify the certificate chain is present, otherwise the certificate will not be trusted.

Warning

IMPORTANT: The following steps will cause a short outage of SecureAuth services.

Remove the Current SecureAuth Corporation Signed Certificate from the Default Web Site

  1. RDP to the SecureAuth Appliance. Log on with the local administrator account.

  2. Open IIS Manager from the Start Menu.

  3. Expand Web Sites and select Default Web Site.

  4. View the Properties of the Default Web Site.

  5. Select the Directory Security Tab.

  6. In the Secure Communications Section of the Directory Security Tab, select the "Server Certificate" button and click the "Next" button.

  7. Select the radio button next to "Remove the current certificate", click the "Next" button twice, and then click "Finish".

Assign the new SSL Certificate to the Default Web Site

  1. RDP to the SecureAuth Appliance. Log on with the local administrator account.

  2. Open IIS Manager from the Start Menu.

  3. Expand Web Sites and Select Default Web Site.

  4. View the Properties of the Default Web Site.

  5. In the Secure Communications Section of the Directory Security Tab, select the "Server Certificate" button and click the "Next" button.

  6. Select the radio button next to "Assign an existing certificate" and click the "Next" button.

  7. Select the new SSL Certificate from the "Available Certificate" list and click the "Next" button.

  8. Define the port. Default and recommended is 443. Click the "Next" button.

  9. Review the Certificate summary, and then click the "Next" button and the "Finish" button.

  10. In the Secure Communications Section of the Directory Security Tab, select the "View Certificate" button to verify the certificate is now installed and the certificate chain is present, otherwise the certificate will not be trusted.

Set additional SSL Identity in NAT environments if required

If the Appliance is configured on the internal network and a NAT rule is used for client traffic from the Internet, it is recommended that an additional SSL Identity be defined for Local Host using port 443.

  1. Open IIS Manager from the Start Menu.

  2. Expand Web Sites and Select Default Web Site.

  3. View the Properties of the Default Web Site.

  4. Select the Web Site Tab.

  5. Select the "Advanced" button in the Web site identification section.

  6. Select the "Add" button at the bottom of the "Multiple SSL Identities for this Web site" section.

  7. Enter 127.0.0.1 in the "IP Address:" field.

  8. Enter 443 in the "SSL Port:" field.

  9. Click the "OK" button to close the Add/Edit Web Site SSL ID dialog.

  10. Click the "OK" button to close the Advanced Web Site Identification dialog.

  11. Click the "OK" button to close the Default Web Site Properties dialog.

Method 2

This process assumes the SecureAuth IdP appliance is not in production and a temporary service outage during the certificate signing process is acceptable. Removing the current SSL certificate bound to the default website will disable SecureAuth services until a SSL Certificate is again bound to the Default Web site.

Remove the Current SecureAuth Signed Certificate from the Default Web Site

  1. Open a remote desktop session (RDP) to the SecureAuth Appliance to the SecureAuth appliance. Log on with the local administrator account.

  2. Open IIS Manager from the Start Menu.

  3. Expand Web Sites and select Default Web Site.

  4. View the Properties of the Default Web Site.

  5. Select the Directory Security Tab.

  6. In the Secure Communications Section of the Directory Security Tab select the "Server Certificate" button and click the "Next" button.

  7. Select the radio button next to "Remove the current certificate", click the "Next" button twice and then click "Finish".

Create a new Certificate Request

  1. In the Secure Communications Section of the Directory Security Tab, click the "Server Certificate" button and then click the "Next" button.

  2. Select the radio button next to "Create a new Certificate" and click the "Next" button.

  3. The radio button next to "Prepare the request now, but send it later" will be selected (only option available). Click the "Next" button.

  4. Enter the FQDN of the certificate to be created, set the bit length, and click the "Next" button.

  5. Enter the Organization and Org Unit information and Select the Next button.

  6. Enter the FQDN of the certificate as the Common Name and click the "Next" button.

  7. Enter the Geographical Information and click the "Next" button. (no abbreviation)

  8. The location and name of the certificate request file can be defined here. Click the "Next" button to select the default "C:\certreq.txt" or enter the preferred name and location.

  9. Review the Request File Summary and click the "Next" and "Finish" buttons to complete the request creation.

Process the request

  • Process the certificate request with the preferred certificate provider. Once the response/signed request has been received, copy the certificate blob back to the Appliance. It is recommended to place the signed response in the same location as the request file and make sure it has a .CER extension.

Process the signed response on the SecureAuth Appliance (Install the new Certificate)

  1. Open IIS Manager from the Start Menu.

  2. Expand Web Sites and select Default Web Site.

  3. View the Properties of the Default Web Site.

  4. Select the Directory Security Tab.

  5. In the Secure Communications Section of the Directory Security Tab, click the "Server Certificate" button and then click the "Next" button.

  6. Select the radio button next to "Process the pending request and install the certificate" and click the "Next" button.

  7. Browse to the "response" file with the .CER extension and click the "Next" button.

  8. Define the port. Default and recommended is 443. Click the "Next" button.

  9. Review the Certificate summary and click the "Next" button.

  10. The certificate is now installed on the Default Web Site. Verify the certificate chain is present, otherwise the certificate will not be trusted.

Set additional SSL Identity in NAT environments if required

If the Appliance is configured on the internal network and a NAT rule is used for client traffic from the Internet, it is recommended that an additional SSL Identity be defined for Local Host using port 443.

  1. Open IIS Manager from the Start Menu.

  2. Expand Web Sites and Select Default Web Site.

  3. View the Properties of the Default Web Site.

  4. Select the Web Site Tab.

  5. Click the Advanced button in the Web site identification section.

  6. Click the "Add" button at the bottom of the "Multiple SSL Identities for this Web site section.

  7. Enter 127.0.0.1 in the "IP Address:" field.

  8. Enter 443 in the "SSL Port:" field.

  9. Click the "OK" button to close the Add/Edit Web Site SSL ID dialog.

  10. Click the "OK" button to close the Advanced Web Site Identification dialog.

  11. Click the "OK" button to close the Default Web Site Properties dialog.