Check Certificate using OpenSSL & How to Add SSL Certificate to IIS

Ensuring your website’s SSL/TLS certificate is valid, correctly configured, and properly installed is crucial for security and user trust. For administrators who prefer the command line or need detailed information, learning how to Check Certificate using OpenSSL provides invaluable insights. Following verification, the practical step is often needing to add ssl certificate iis (Internet Information Services) on your Windows Server to enable HTTPS or update an existing binding.

This guide covers both essential tasks. We’ll show you how to leverage the power of OpenSSL to inspect certificate details and then provide a clear, step-by-step process for adding an SSL certificate within IIS Manager, ensuring your website benefits from secure encryption provided by certificates from trusted sources like sslrepo.com.

Key Takeaways

• OpenSSL for Verification: A versatile command-line tool to Check Certificate using OpenSSL, examining details like issuer, subject, expiration dates, and SANs from remote servers or local files.
• Adding Certificates to IIS: The process to add ssl certificate iis typically involves importing the certificate (often as a .pfx file containing the private key) using IIS Manager.
• Prerequisites for Adding: You need the certificate file(s) and, crucially, the corresponding private key. For IIS, importing a .pfx is often the easiest way.
• IIS Manager: The primary graphical tool on Windows Server for managing certificates (importing, viewing) and configuring website bindings.
• Binding is Essential: After importing/adding the certificate to the server store, it must be bound to the specific website(s) on port 443 in IIS to activate HTTPS.
• Verification Post-Install: Always verify the installation using browser checks, online tools, or OpenSSL after adding the certificate.

Part 1: How to Check Certificate using OpenSSL

OpenSSL offers granular control for inspecting certificates. Here are common scenarios:

1. Checking the Certificate of a Live Website (Remote Server)

This connects to the server and displays the certificate it presents for HTTPS.

• -connect yourdomain.com:443: Target server and port. Replace yourdomain.com.
• -servername yourdomain.com: Essential for SNI (Server Name Indication) to get the correct certificate on shared IPs.
• | openssl x509 -noout -text: Pipes the certificate data to the x509 utility to display it in readable text.

Useful variations:

• Check validity dates: Replace -text with -dates
• Check subject (CN, Org): Replace -text with -subject
• Check issuer: Replace -text with -issuer

2. Checking a Local Certificate File (.crt, .cer, .pem)

If you have the certificate file:

BASHopenssl x509 -in /path/to/certificate.crt -noout -text

• -in /path/to/certificate.crt: Path to your certificate file.
• Use -dates, -subject, -issuer flags as needed.

3. Checking a PFX File (.pfx, .p12)

PFX files contain the certificate(s) and private key.

BASHopenssl pkcs12 -info -in /path/to/certificate.pfx

• -info: Displays contents.
• -in /path/to/certificate.pfx: Path to your PFX file.
• You’ll likely need to enter the PFX password.

What to look for: Common Name (CN), Subject Alternative Names (SANs), Issuer, Valid From/To dates (notBefore/notAfter), Public Key Algorithm/Size. Using OpenSSL helps confirm you have the correct certificate before attempting to add it to IIS.

Part 2: How to Add SSL Certificate IIS

Once you have your SSL certificate files (and you’ve ideally checked them), you need to add the certificate to your Windows Server’s certificate store and make it available to IIS.

Prerequisites:

• Certificate Files: You need the server certificate (.crt, .cer) and any necessary intermediate certificates (.crt, .ca-bundle).
• Private Key: You need the private key that corresponds to the server certificate.
• Common Scenario: Often, especially when moving certificates or restoring backups, you’ll have these bundled together in a password-protected .pfx file. Importing a PFX is generally the most straightforward way to add both the certificate and its private key to IIS.

Steps to Add SSL Certificate using IIS Manager (Focusing on PFX Import):

1. Save PFX File: Place the .pfx file onto an accessible location on your IIS server (e.g., C:\Certificates).
2. Open IIS Manager: Launch Internet Information Services (IIS) Manager.
3. Navigate to Server Certificates: In the Connections pane, click the server name (top node). In the center pane, double-click Server Certificates under the IIS section.
4. Import the PFX: In the Actions pane on the right, click Import….
5. Specify PFX File and Password:
   • Certificate file (.pfx): Click the ... button and browse to select your .pfx file.
   • Password: Enter the password that was used to protect the .pfx file when it was created/exported.
   • Select Certificate Store: Choose Personal or Web Hosting. “Web Hosting” is often preferred on newer systems, but “Personal” is the traditional store.
   • (Optional) Check “Allow this certificate to be exported” if you might need to export it again later from this server.
   • Click OK.
   The certificate should now appear in the list of Server Certificates.

Alternative: Completing a Certificate Request

If you generated the CSR on this server and received back a .crt file from the CA (instead of having a PFX), you would use the Complete Certificate Request… action instead of “Import…”. You’d provide the .crt file and a Friendly Name. IIS attempts to match this with the pending private key from the CSR generation.

Crucial Next Step: Binding the Certificate to Your Website

Adding the certificate to the store makes it available, but IIS doesn’t know which website should use it until you create an HTTPS binding.

1. Navigate to Your Site: In the Connections pane, expand Sites and click on the specific website you want to secure.
2. Open Bindings: In the Actions pane, click Bindings….
3. Add or Edit HTTPS Binding:
   • Add: If no HTTPS binding exists, click Add….
     • Type: Select https.
     • IP address: Choose “All Unassigned” or a specific IP.
     • Port: Enter 443.
     • Host name: (Optional, for SNI) Enter the hostname (e.g., www.yourdomain.com).
     • SSL certificate: From the dropdown, select the certificate you just imported (identified by its domain or Friendly Name).
     • Click OK.
   • Edit: If an HTTPS binding already exists (e.g., you’re replacing an old certificate), select the https entry and click Edit…. Simply select the new certificate from the SSL certificate dropdown and click OK.
4. Close the Site Bindings window.

Step 3: Verification

After adding and binding the certificate:

1. Restart Website (Optional): Right-click the website in IIS Manager and go to Manage Website > Restart.
2. Browser Test: Open a browser (clear cache or use incognito mode) and navigate to https://yourdomain.com. Check for the padlock icon and ensure no errors appear. Click the padlock to verify the details of the new certificate.
3. Online SSL Checker: Use a tool like Qualys SSL Labs to perform a comprehensive check of your installation.
4. OpenSSL Check (Again!): Use the openssl s_client command shown earlier to verify the server is presenting the newly added certificate.

Conclusion

OpenSSL is an indispensable tool to Check Certificate using OpenSSL commands, providing detailed verification before and after installation. The process to add ssl certificate iis is straightforward using IIS Manager, especially when importing a .pfx file. Remember that adding the certificate to the server store is only half the battle; correctly binding it to your website on port 443 is essential to enable HTTPS. Always verify your installation thoroughly to ensure seamless security for your users.

Need a new SSL certificate or looking to renew? Find a wide range of trusted options at sslrepo.com.

Frequently Asked Questions (FAQ)

Q1: Can I use OpenSSL to add a certificate to IIS?
A: No. OpenSSL is primarily used for generating CSRs, managing keys, converting formats, and checking certificates. Adding/installing certificates into the Windows store and binding them in IIS requires using Windows tools like IIS Manager, PowerShell (Import-PfxCertificate, New-WebBinding), or certutil.exe.

Q2: I imported the PFX file, but my site still shows the old certificate. What’s wrong?
A: You most likely forgot to bind the newly imported certificate to your website’s HTTPS binding (port 443) in IIS Manager. Go to Site Bindings, edit the HTTPS entry, and select the new certificate from the dropdown.

Q3: What’s the difference between “Import…” and “Complete Certificate Request…” in IIS Server Certificates?
A: Import… is primarily used for .pfx files, which already contain both the certificate and the private key. Complete Certificate Request… is used when you generated a CSR on that server and received back only the public certificate (.crt/.cer) from the CA; this action pairs the received certificate with the pending private key stored by IIS.

Q4: Can I check the certificate details directly within IIS Manager?
A: Yes. Double-clicking a certificate listed in the “Server Certificates” section will open the Windows certificate viewer, showing details like the subject, issuer, expiration date, and certification path. OpenSSL often provides more detailed cryptographic information in a text format.

Q5: My PFX import failed in IIS. What could be the cause?
A: Common causes include:
* Incorrect password for the PFX file.
* The PFX file is corrupted.
* Insufficient permissions for the user performing the import.
* Issues with the certificate store itself.

Q6: Do I need intermediate certificates when adding a certificate via PFX?
A: Often, when a PFX is created correctly (using the -certfile option in OpenSSL or checking “Include all certificates…” during MMC export), the intermediate certificates are already bundled within the PFX file. If not, you may need to install them separately into the “Intermediate Certification Authorities” store on the server.