A. If you have Certificate Services installed in your Active Directory (AD) forest, enabling HTTPS traffic on a Web server is a simple exercise. To do so, perform these steps:
- Log on to the Web server as an account with local Administrator privileges (to allow certificates to be installed into the computer's local certificate store).
- Start the Internet Information Services Manager (Start, Programs, Administrative Tools, Internet Information Services--IIS--Manager).
- Expand Web Sites and right-click the Web site for which you want to enable HTTPS communication (e.g., Default Web Site) and select Properties.
- Select the Directory Security tab and click Server Certificate, as Figure 2shows.
- Click Next on the "Welcome to the Web Server Certificate Wizard" page.
- Select "Create a new certificate" and click Next.
- You now choose whether to immediately request the certificate or prepare a request to be submitted later. If the CA is correctly configured in the AD forest, select the "Send the request immediately to an online certificate authority." Click Next.
- Enter a name for the certificate (e.g., Exchange Web Server SSL), as Figure 3 shows. Leave the default values for bit length and cryptographic service provider (CSP). Click Next.
- Enter the organization's name and unit (e.g., SavillTech and IT) and click Next.
- Enter the common name (CN) of the certificate. This name must be the full name of how users will access the Web site (e.g., savdalex01.savilltech.com) and click Next.
- Enter the Country, State, and City and click Next.
- You'll be prompted for the port to be used for Secure Sockets Layer (SSL). Leave it as the default (443) and click Next.
- You'll see a list of CAs known to AD. Select one and click Next.
- You'll see a confirmation of the certificate request. Click Next.
- The screen displays a success message. Click Finish. After you install the certificate, Web clients will be able use HTTPS.
If you have concerns with this approach, you can use the Web-based enrollment method. (I know of people who were unable to get this auto enrollment process to work. Usually this occurs because firewall or server-side configuration issues on the certificate server prevent remote procedure call (RPC) from being available):
- Log on to the IIS server.
- Go to http://
- Click "Request a certificate."
- Click "Advanced certificate request."
- Click "Create and submit a request to this CA."
- Complete the Certificate Template form, ensuring that the Certificate Template is set to Web Server and the "Store certificate in the local computer certificate store" check box is selected, as Figure 4 shows. The Name field needs to match how the clients will connect to the server (the server part of the URL).
- Click Submit.
- Click Yes to the security warning.
- You'll see a new Web page. Select "Install this certificate" and click Yes to the security warning.
- You'll see a message saying the certificate was successfully installed
You can now click the Server Certificate button under the Directory Security of the Web site, then select "Assign an existing certificate" and select the installed certificate.