SSL Certificates, Tips for Microsoft IIS Users
Certificate CSR generation and install tips for Microsoft IIS Users
First, perform the Root and Intermediate Certificate installation via MMC using the instructions located here. Then, install your server certificate using the instructions provided on the Comodo website for IIS 5.x/6.x, IIS 7.x, or IIS 8.x.
Tips for IIS users:
- Some users who have Windows Server 2012 or 2008 and IIS7 installed report issues when simply choosing "renew" in IIS to auto-generate their CSRs. The symptom of this issue is the generation of an extra-long CSR that is unreadable by the vendor. The workaround for this is to choose "Create new" and then import and register the new certificate.
- IIS requires a restart to ensure it is able to serve the full certificate chain correctly. Users have reported success with import a single combined .cer file into IIS that includes the machine certificate, intermediates, and root (in that order). The order is necessary to ensure proper installation.
- IIS does not support creating SAN CSR's through its wizard, but this can be accomplished using the built-in certificate tool in Windows and/or the OCS interface where applicable.
- Some campus ITPros have noticed that new SHA-2 certificates issued by the Technology Service Certificate Manager may experience problems with Firefox clients when used on certain Windows servers. This results from Firefox not having the new "USERTrust RSA Certification Authority" in the Root CA store. In order to make this work correctly with Firefox, until the new CA certificate is added to their store, the "USERTrust RSA Certification Authority" must be imported into the server's intermediate certificate store, using the version available above and REMOVED from the root certificate store. (This is in addition to the "InCommon RSA Server CA" intermediate certificate, which must also be placed into the intermediate store.) This will cause the server to serve the USERTrust certificate as an intermediate that is signed by the "AddTrust External CA Root", which is a trusted certificate in the Firefox store. Failure to remove the certificate from the server's root store, if present, will lead the server not to transmit the certificate, even if it is listed in the intermediate store.