How to add an SSL certificate to IIS in Windows Server 2008 R2

Its something I do without really thinking about, just get another certificate and add it to the server so that the website can load with https:// instead of http://

I have used lots of different SSL providers, however I have found that the most reliable and easy to use is www.trustico.co.uk and their customer service and support is exceptional.

I will try to make this as step-by-step as I possibly can so that it’s easy to follow.

Part 1 – Creating the certificate request

1. Open the IIS (Internet Information Services) Manager

Screen Shot 2013-09-12 at 08.35.48

2. Click on the server name on the left hand side and then double-click on Server Certificates

Screen Shot 2013-09-12 at 08.37.10

 

3. On the right-hand-side of the server certificates section, click on Create Certificate Request

Screen Shot 2013-09-12 at 08.42.44

4. The Request Certificate wizard is displayed.  The Common Name is the website URL that you are going to make SSL. In this example, I am creating a certificate for one of our systems, Good Morning Pulse.

There are two main types of certificate, single and wildcard. A single certificate is for a single site (e.g. https://www.google.co.uk), a wildcard certificate is for multiple sub-domains at the same domain (e.g. https://maps.google.co.uk AND https://places.google.co.uk … and as many other sub-domains as you can think of) without having to purchase separate certificates for each sub-domain.

Screen Shot 2013-09-12 at 08.47.08

The only REALLY important part of this is the common name.

Click on Next to continue

 

 

5. Change the Bit length to 2048 or higher. A note of caution on this – if you change it to a really high bit length it means that the volume (size in kb) of all pages being sent to and from your website is significantly increased, but is more secure.

You should not choose any setting lower than 2048. As of October 2013, all 1024-bit certificates have been revoked and 2048 is the new standard.

Screen Shot 2013-09-12 at 08.50.36

6. Next we are choosing a place to put the certificate request (just a plain text file). I normally put this on the Windows Desktop for ease of accessing in a few steps time.

Screen Shot 2013-09-12 at 08.53.11

Click on the  button to choose the location

Screen Shot 2013-09-12 at 08.53.33

Give the file a name. I normally call it “certReq” (Certificate Request) just so I know what it is. If it already exists it will overwrite any existing file.

Click on the Open button to select the file (it will be created if it does not already exist)

Click on Finish to complete the certificate request process

Part 2 – Submitting and creating the SSL certificate

1. Open the certificate request file you created in Part 1

Screen Shot 2013-09-12 at 09.00.32

Select and copy the entire certificate (Ctrl + A or Cmd + A) and then Copy (Ctrl + C or Cmd + C) INCLUDING the —–BEGIN NEW CERTIFICATE REQUEST—— (and end) parts.

2. Visit www.trustico.co.uk

Screen Shot 2013-09-12 at 09.06.41

Click on the Buy Cheap RapidSSL green button

2. Choose the type of SSL certificate you want to order (In this case I am ordered a normal Rapid SSL Certificate for £9.99. Click on the green Order Now button.Screen Shot 2013-09-12 at 09.08.22

3. Choose the length of time you wish the certificate to be valid for. Unless you want to have to go through this process every 12 months (which gets very time-consuming when you have tens or hundreds to purchase), its best to go for the longest time-frame you can afford.

Screen Shot 2013-09-12 at 09.08.57

In this case, I am choosing 48 months, which is only £35.96 at the time of writing.

Issuance Insurance: its your decision whether to keep this or not, and depends on what you need. I always turn Issuance Insurance off, in this case it will save £48 off the bill. If you think you are going to move servers, then keep this on unless you know how to export certificates from one server to another (thats another tutorial in the future).

Screen Shot 2013-09-12 at 09.13.04

Click on Continue

4. Enter all your contact information. Make sure you have access to the email address supplied at this stage otherwise you wont get the certificate at the end. (I have not entered all my details in the screen-shot below yet)

Screen Shot 2013-09-12 at 09.15.40

Click on Continue

5. Click on Submit newly generated certificate signing request (I don’t know why they think every word needs a capital letter, but anyway)

Paste in your certificate that you copied in Step 1

Screen Shot 2013-09-12 at 09.19.39

Click on Continue

6. You are asked to verify the information. Click on Continue

Screen Shot 2013-09-12 at 09.22.02

7. Next you have to confirm that you own the domain name by receiving an email at the domain. If you don’t have a mail server set up, the easiest way to do this is to simply set up a mail forwarder to your own email address (very easy and free if you registered your domain with www.123-reg.co.uk )

Choose the email address to send the approver email to, and click on Continue

Screen Shot 2013-09-12 at 09.25.43

8. Read the subscriber agreement (has anyone ever read these?) Click on Continue

Screen Shot 2013-09-12 at 09.26.16

9. The confirmation details of what you are ordering is shown. Scroll down and click on Continue

10. Pay for the certificate. I always use PayPal, which makes the certificate issuing process very fast indeed. No matter how you pay, it always says thanks for your credit card payment.

Screen Shot 2013-09-12 at 09.31.29

Thats the online (web) part done for now.

11. Check your email (or the email address you choose at step 7 above if it doesnt forward to your own email address). You will have an email from [email protected] that asks you to visit a URL and Approve the certificate. Click on the link and click I APPROVE

12. Go get a cup of tea, coffee or coke, check your email, play Minecraft or whatever takes your fancy. It takes about 10 minutes for your certificate to be created and it is then emailed to you.

 

 Part 3 – Installing the certificate on the server

1. You should have an email from TrustICO (in this example it took 12 minutes to get to me) with the subject RapidSSL Fulfillment E-Mail [certificate name]

Scroll down the email until you get to the —-BEGIN CERTIFICATE—– part. I have (obviously) hashed out my certificate for security reasons.

Screen Shot 2013-09-12 at 09.50.58

Select the whole certificate (including the begin and end lines) and Copy it to the clipboard (Ctrl + C or Cmd+C).

Go back to the server (or if you are already on it, get to the desktop)

2. On the server, Open Notepad

3. Paste in the certificate

Screen Shot 2013-09-12 at 10.02.13

4. Click on FileSave As and choose the Desktop again (or if like me you have a lot of certificates, create a folder to put them all in)

Give the certificate a name you will remember (I always put the years in so that I can distinguish between different years worth of certificates).

IMPORTANT – there MUST be the extension .cer at the end.

IMPORTANT – change the “Save As Type” to All Files (if you forget, it will add a .txt at the end of the file name, which you then have to remove to make it work)

Screen Shot 2013-09-12 at 10.05.38

Click on Save

5. You should now see a certificate on your desktop (or the folder where you saved it)

Screen Shot 2013-09-12 at 10.10.03

6. Open IIS and go to the Server Certificates item

Screen Shot 2013-09-12 at 08.35.48 Screen Shot 2013-09-12 at 08.37.10

 

7. Click on Complete Certificate Request on the right hand side

Screen Shot 2013-09-12 at 08.42.44

8. Choose your certificate for the File Name box

IMPORTANT – Friendly Name – if you ordered a wildcard certificate it is REALLY IMPORTANT that you put the common name of the certificate as the friendly name (e.g. *.goodmorningpulse.co.uk)

In this case, as it was a single certificate, not a wildcard its good to give it a name so that you know which is which on the list.

Screen Shot 2013-09-12 at 10.15.15

Click on OK

IIS Parses the request, and if successful (which it always should be if you have created the certificate correctly) then it will add the certificate to your list.

 Part 4 – Binding the certificate to the website

So you have your certificate on the server, and you now need to tell your website to use it.

1. In IIS, expand the Sites item on the left hand side

2. Right-click on the site you wish to use the SSL certificate for, and click on Edit Bindings

Screen Shot 2013-09-12 at 10.24.35

3. The site bindings are displayed. Click on Add

4. Change the type to https and then Choose your new certificate

Screen Shot 2013-09-12 at 10.25.48

Click on OK and then Click on Close

5. The site will now allow https connections! Its that simple!

 

Success!

If you want to make your site exclusively SSL (re-directing automatically from http to https) then check out this post.

Make your site exclusively SSL (re-directing automatically from http to https) on Windows Server

If you have an SSL certificate on your website, how do you automatically re-direct ALL visitors to the SSL version? Its easy, and with no code required.

1. Open IIS

2. Click on the site you wish to change

Screen Shot 2013-09-12 at 10.31.12

3. Double-click on SSL Settings

4. Check the box Require SSL

Screen Shot 2013-09-12 at 10.33.34

5. Click on Apply (on the top right hand side)

6. Click on Error Pages

7. Double-click on the item with status code 403

Screen Shot 2013-09-12 at 10.37.06

8.  Choose the item to Respond with a 302 redirect and enter the https address

9. Click on OK

10. Stop and re-start the website and hey-presto, anyone who visits (for example) http://www.mywebsitetest.co.uk will be automatically redirected to https://www.mywebsitetest.co.uk

 

Check for server vunerabilities using a free web

We have many Windows Server 2008 R2 servers that host systems, and recently had been getting lots of failed logon attempts, so it was imperative that we investigated not only the source, but how to prevent them even trying.

This is a fantastic free web-based utility that scans the computer it is running on.

https://www.grc.com/x/ne.dll?bh0bkyd2

Set up Dropbox as a Service

I love Dropbox. We’ve finally got rid of the file servers in the corner and rely on the Dropbox service for all our internal storage, backup and mirroring to other servers. recently we’ve started building web applications that can be dynamically updated by just copying files into a Dropbox share – and our clients love it! Key to this is getting Dropbox set up as a service on the remote server.

What you need: Windows Server 2003 Resource Kit. Assuming installation was done in default directory.

1. Install Dropbox (I used version 1.2.52)
2. Choose preferences and uncheck “Show desktop notifications” and “Start Dropbox on system startup”
3. Exit Dropbox by clicking exit in the context menu that shows when right clicking icon in task bar
4. Execute at command line prompt:

C:\Program Files (x86)\Windows Resource Kits\Tools>instsrv Dropbox “c:\Program Files (x86)\Windows Resource Kits\Tools\srvany.exe”

If everything went ok, the following will be displayed:

The service was successfuly added!

Make sure that you go into the Control Panel and use
the Services applet to change the Account Name and
Password that this newly installed service will use
for its Security Context.

Next is to change the user for witch the newly added service “Dropbox” runs under. Change this to Administrator.
5. Choose properties on Dropbox service.
6. Click on tab “Log On”
7. Click “This account”, and select Admimistrator. Set appropriate password.
8. Click Apply and OK

If this is the first time you have done this procedure for the administrator user, you will get an notification saying that the “Administrator user has been granted log on as service rights”

Next is to setup some registry settings for the service
9. Start > Run > regedit
10. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dropbox
11. Create a new key “Parameters”
12. Add a new string value “Application”, (type REG_SZ). Set the value to the path to the dropbox.exe binary. Find the location by right clicking on the Dropbox icon on the desktop. Simply copy the path from there.
13. Close Registry Editor
14. Go back to Services, and start the Dropbox service

Now everything should be in place and work correctly.

Addition: It works fine to stop the Dropbox service, then start Dropbox and make changes in preferences etc, save changes and exit Dropbox. Then you can start Dropbox service again without problems. Work very neat actually. Running now on Windows Server 2003 and Windows Server 2008 64-bit. On Windows Server 2008 you can just copy instsrv.exe and srvany.exe to a folder under Program Files and create the Dropbox service from there.

Windows Server 2008 R2 DNS – Solved!

Something has been driving me absolutely INSANE – why does Windows Server 2008 DNS stop working intermittently and require either the service to be re-started or the whole server to be re-booted to get it working again?

After 2 years of this annoyance I decided to spend lots of time to get this working, and many phone calls and harrasment of various Microsoft Partner organisations and Microsoft Technical Support later… I think there is finally a
fix that works and stops it falling over!

The problem, according to Microsoft appears to be that Windows is more advanced than the rest of the Internet, and falls over occasionally when trying to deal with other non E-DNS aware servers (or something like that)

Open Command Prompt (with Run As Administrator)

Type dnscmd /config /EnableEDNSProbes 0

Close the Command Prompt

Open Services (Start, Run, Services.msc)

Right-click on the DNS Server item, Click on Tasks and choose ReStart

Working!

Could Dropbox replace the Small Office Server?

It started as many IT Consultancy visits do – a “quick visit” to sort out a minor problem with sending an email at a small business (9 members of staff with a PC each), and then, out of nowhere comes the question that we dread when on a tight time-scale with the next month already booked up in advance… “we need an server to share files for all of us – could you set that up for us… we need it next week, will it cost much?” In default “IT Consultant Mode” I started explaining the costs of the physical hardware, the Windows Server licence, how long it would take to order, install and configure on each PC, and then, just as I was explaining the electricity cost, I stopped.. Thinking back I wonder if my customer thought I had lost it completely, as I stopped open-mouthed and went “AAAHHH” far too loud, and then I asked a question I have never uttered before..

“There might be a better way – have you heard of DropBox?”

She replied that she hadn’t, and enquired as to what it was. It was then that it struck me, on every previous occasion, what was it that always got added on the end of the shared files question… “can I access them at home?” and I started my explanation with a question: “Would you like to be able to access and update the shared documents from home?”. To say that the customer was shocked was an understatement as she struggled to contain her enthusiasm “you mean I could actually do that???” So I proceeded to explain over the course of about 10 minutes the two possible routes – the traditional route with the server, the new router, the VPN, the approximate cost of £2400 all in, and the new route – the brand new option – Dropbox, which is free for up to 2Gb of storage. I asked what was being stored in the file store, and emphasised the importance of not storing personal information in the new dropbox folder if we were to use it, and the answer “no, its just for a few policies and procedures” meant it was a perfect fit. So, 30 minutes after arriving on-site to fix email, all staff have dropbox installed on their PC with a nice DropBox shortcut on their desktop to the folder, the owner has had the dropbox guided tour and actually understands it all (and added Dropbox on her iPhone there an then), and wow – it works (and is still working) perfectly. One very, very happy customer, with a solution that when coupled in the near future with Office 365 will result in not needing any server for the office at all. Dropbox I salute you – a wonderful new technology that can be applied to revolutionise business file sharing.

The wonder of Hyper-V

With Hyper-V, it’s easier than ever to take advantage of the cost savings of virtualization through Windows Server 2008 R2. Optimize your server hardware investments by consolidating multiple server roles as separate virtual machines
running on a single physical machine, efficiently run multiple different operating systems in parallel, on a single server, and fully leverage the power of x64 computing.

We have rolled out Hyper-V in our office and now have no physical Windows Servers that provide services. The only bare-metal servers run Hyper-V.

Storage is dealt with by an HP DL380 server set up as a SAN so that the Hyper-V front-end servers connect via iSCSI to the SAN.

Front-end servers are now:

HP DL160 G5, 2 x 2.0GHz Xeon Quad-core CPUs with 32Gb RAM

HP DL160 G6, 2 x 3.04GHz Xeon Quad-core CPUs with 64Gb RAM