Microsoft KB Archive/329508

= How to install a server certificate after a pending request has been deleted in IIS 5.0 =

Article ID: 329508

Article Last Modified on 3/28/2007

-

APPLIES TO


 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q329508





SUMMARY
This step-by-step article describes how to install a server certificate that you have obtained from a certification authority (such as VeriSign or Thawte) after you have accidentally deleted a pending request for the certificate in Internet Service Manager.

This problem occurs when you generate a certificate request, but the pending requested is deleted before the Web server certificate that you have received from the certification authority is installed. When this occurs and you click Server Certificate on the Directory Security tab of that Web site to install the certificate, the Process the pending request and install the certificate option is not available, and you cannot process the pending request and install the certificate.

Requirements
To install the Web server certificate that you have obtained from a certification authority such as VeriSign after you have accidentally deleted the pending request, you must have a backup of the private key of the certificate request before the pending request is deleted.

Back up the private key of the pending request

 * 1) Click Start, click Run, and then type mmc.
 * 2) Click Console, and then click Add/Remove Snap-in.
 * 3) Click Add, select Certificates, and then click Add.
 * 4) When the Certificates snap-in opens, click Computer Account, and then click Next.
 * 5) Select Local Computer, and then click Finish.
 * 6) In the Add Standalone Snap-in window, click Close, and then click OK.
 * 7) Under Console Root, expand Certificates (Local Computer).
 * 8) Look for a folder that is named Certificate Enrollment Requests. Under that folder, you can see the Certificates folder. You can see the corresponding key for the certificate request key that you made earlier.
 * 9) Select the key that you want to back up.
 * 10) Right-click the key, click All Tasks, and then click Export.
 * 11) When the Certificate Export Wizard starts, click Next on the Welcome page.
 * 12) Select Yes, export the private key, and then click Next.
 * 13) On the Export File Format page, accept the default settings, and then click Next. Note that Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) is selected.
 * 14) Type and confirm a password for the private key, and then click Next.
 * 15) On the File to Export page, save the key (which is a .pfx file) on a set location, and then click Next. It is important to make a copy of the private key that does not reside on the actual server in case the server crashes.
 * 16) Click Finish. You receive a message that states that the export was successful.

Note If you do not have the backup of the private key of the pending request, you must make a new certificate request, because there is no way to install the certificate for the corresponding request.

Import the backup copy of the private key of the pending request
If you have a backup copy of the private key of the pending request, follow these steps to import the private key:
 * 1) Click Start, click Run, and then type mmc.
 * 2) Click Console, and then click Add/Remove Snap-in.
 * 3) Click Add, select Certificates, and then click Add.
 * 4) When the Certificates snap-in opens, select Computer Account, and then click Next.
 * 5) Select Local Computer, and then click Finish.
 * 6) In the Add Standalone Snap-in window, click Close, and then click OK.
 * 7) Under Console Root, expand Certificates (Local Computer).
 * 8) Look for a folder that is named Certificate Enrollment Requests. Under that folder, you can see the Certificates folder.
 * 9) Right-click the Certificates folder, click All Tasks, and then click Import.
 * 10) When the Certificate Import Wizard starts, click Next.
 * 11) Locate and select the private key (.pfx) file of the pending request that you backed up, and then click Next.
 * 12) Type the password for the private key (this is the password that you specified when you backed up the private key for the pending request), and then select Mark the Private key as exportable. Click Next.
 * 13) Select Place all certificates in the following store. Make sure that the default certificate store is Certificate Enrollment Requests, and then click Next.
 * 14) On the Completing the Certificate Import Wizard page, click Finish. You receive a message that tells you that the import was successful.

The private key of your pending request (that you may have deleted earlier) is now restored.

Install or import the certificate .cer file for the corresponding private key of the certificate request
To install the certificate (that is, the .cer file that you have received from the certification authority), follow these steps:
 * 1) Click Start, click Run, and then type mmc.
 * 2) Click Console, and then click Add/Remove Snap-in.
 * 3) Click Add, select Certificates, and then click Add.
 * 4) When the Certificates snap-in opens, select Computer Account, and then click Next.
 * 5) Select Local Computer, and then click Finish.
 * 6) In the Add Standalone Snap-in window, click Close, and then click OK.
 * 7) Under Console Root, expand Certificates (Local Computer).
 * 8) Look for a folder named Personal. Under this folder, you can see the Certificates folder.
 * 9) Right-click the Certificates folder, click All Tasks, and then click Import.
 * 10) When the Certificate Import wizard starts, click Next.
 * 11) Click Browse, and then change the Files of type option to X.509 Certificate (*.cer,*.crt) to view your .cer file. Select your file, click Open, and then click Next.
 * 12) Select Place all certificates in the following store, make sure that the default certificate store is Personal, and then click Next. When you receive a message that says that the import was successful, double-click the certificate file that you just imported and verify that the dates are valid. You have a private key that corresponds to this certificate.

Assign the certificate to the Web site
To use the certificate for your Web site, you must assign the certificate to your Web site.
 * 1) Click Start, point to Programs, select Administrative Tools, and then click Internet Services Manager.
 * 2) Expand the server name, select and right-click the Web site that you want to assign the certificate to, and then click Properties.
 * 3) On the Directory Security tab, click Server Certificate.
 * 4) When the Web Server Certificate Wizard starts, click Next.
 * 5) Select Assign an existing certificate, and then click Next.
 * 6) Select the certificate that you have just installed, click Next, and then click Finish.
 * 7) Click the Web site tab and make sure that SSL Port is set to 443.

