Skip to content

Microsoft IIS

Tip

Before proceeding, verify that the machine is already created in TLS Protect Cloud. Also, ensure that you’ve completed the prerequisite configuration steps for the Microsoft IIS machine.

  1. In the TLS Protect Cloud toolbar, click Machines.
  2. Click the checkbox next to the Microsoft IIS machine that you want to provision a certificate to.
  3. Click Provision a certificate. The Provision a certificate modal opens.

  4. From the Choose a certificate from the inventory field, begin typing the certificate name you want to provision. Click the certificate when you see it listed.

    Verify that you've selected the correct certificate by reviewing the Subject DN, Validity, and Fingerprint.

  5. From the CAPI Store drop down, select the certificate store you want the certificate installed in. The Web Hosting store is recommended for certificates used by IIS.

  6. Enter a Friendly Name for this certificate. The certificate will appear with this name when used in IIS.
  7. (Optional) If you want to bind the certificate to the IIS website, toggle the Bind Certificate to IIS Web Site slider to the on position. In the IIS Web Site Name field, enter the site from your IIS server that you want to provision the certificate to.

  8. If you want TLS Protect Cloud to create a new binding if a matching binding isn't found, click the Create Binding if not found slider.

    What happens if I don't choose this and the binding doesn't exist?

    If the specified binding doesn't exist and you've told TLS Protect Cloud not to create it, the certificate will be added to the CAPI store, and provisioning will result in an error.

  9. In the Binding IP Address field, enter an IP address that is bound to Windows. The certificate will be available only for the IP address you enter here. Leave the field empty if you want the certificate to be available an all of the Windows server's IP addresses.

  10. In the Binding Port, enter a port number to add to the binding.
  11. In the Binding Hostname, enter a hostname to add to the binding if you want the binding to use Server Name Indication (SNI).
  12. If you don't want the certificate to be pushed when you save, toggle the Push upon saving slider to No.

  13. Click Save.

    Want to schedule your provisions?

    Schedule your provisions daily, weekly, or monthly. Learn more

    Are you requiring strict enforcement of PowerShell script signing?

    The Microsoft IIS provisioning process uses PowerShell over WinRM to install certificates on the Windows machine. TLS Protect Cloud PowerShell scripts are signed using Venafi's DigiCert CodeSigning certificate. If your organization enforces strict signing requirements to execute PowerShell scripts, ensure Venafi's CodeSigning certificate is included of the Trusted Publishers location on the machine's CAPI store.

    Typically, trusted publisher certificates are managed and distributed via Group Policy by your Active Directory administrators.

    You can find the certificate in PEM format for your convenience here:

    -----BEGIN CERTIFICATE-----
MIIHdjCCBV6gAwIBAgIQDDwkVYKmVAV5QwSzZFlFxTANBgkqhkiG9w0BAQsFADBp
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT
OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0
IDIwMjEgQ0ExMB4XDTI0MDgyMTAwMDAwMFoXDTI1MDkxNjIzNTk1OVowfjELMAkG
A1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5
MRUwEwYDVQQKEwxWZW5hZmksIEluYy4xGTAXBgNVBAsTEEVuZ2luZWVyaW5nIFZh
YVMxFTATBgNVBAMTDFZlbmFmaSwgSW5jLjCCAiIwDQYJKoZIhvcNAQEBBQADggIP
ADCCAgoCggIBAOfGSJIknBGQ0nZ4KVe1qS/581DkYQcIyAePb1suokp7/YY6h2vg
1OZwdlHHm8aZxb0b1Xq4Pj2h6zf3Egh9rGj/phoUuAaYi4fwxiS67Iy8R66J+kvf
PxlahO1yF5B74/2AuMGOuea230WUb/C8cPDSqb2iNidqqy3z510+IuzG1EU0oZMT
+WFMsqAvD7vuNkFRFaXMrZAwNsAKg898PjT4JH6X4NhZypnSV2gWqjNcF/avpr7H
tbT87xRnzwgyQtKE4+z77hmHrZvyGB335AIrjouf8jHR86sWZWkw/G7b42HV1Uyb
GUdZTWM6l3hNQV6i0eUNqPNz5rQXkZGyit5PPSJRxnAI0lec0gGGnIJlkc7WeTY8
5+M0Pqd6RtomlOra7euGR4/w93H073E9EdhBL5mpjF7jkB/sWGgZgYiVeeFE9Ecc
kSOBtwb+2HoZkg87OBQ6NzXxHyksX0MY9N6XKqQdbtIwTOSjZfils/S8YP/hhkWV
MEFKIqjQEsL9jH30MpG9bEjCvhO9R4R5E5uQjmTqwQWg5uDQopkmSm0iC2WCWcv1
dhvMb294vNhw578jEKowyNH5VNwNeuTCpdzMNfdHTY1loorltbIa1dEN1xOjm4ve
a0JijE+1OvlbPBMWhcB8JnkjFdNYUc1swErV8MvZxv1zns9U8E594/bXAgMBAAGj
ggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4E
FgQUMqZQnX+ejPhr/xdSp/xnOUTkyf0wPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAn
BggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB
/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBP
hk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2Rl
U2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2Ny
bDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0
MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUF
BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6
Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWdu
aW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcN
AQELBQADggIBALfd+IlW7Ucv0KtHZM6AYYIRAJGFqiyBq5l00SeGxhD7HY4LhNeO
MOwxx7ZIYk7A/vPtMUHBtB6m162QM3RFZOdU6vnp/aKBKOzG4BUYM9oyh3d7w9y0
vMgENlvl5ITlz7slvbZG9olQTwIS/tNQCdYu3UGgTpFcQma1Inrlma7+RHec0XWo
DYFgm3Vxw+9zv71Hio0KGpwXfZGQtYxiGeU9ftfebHZ40uxRIvzIIQ3Na1HZTsWx
2GziDljY+cMaU1bibC76RHIQ/exUO18xDnTd5gjc+Kdreo9iJWzQgEBB/X5IzjmC
gD+zKpHd+4wGV4y2DyWXr9YzP045N6qtv4vftnr0EWH9UNErlPhqMpRUO3oEf49s
fXmnBRhYeESbLnGm1+sy1HCRjKo3ExpLO/UButtg67bqq1cHei/ru7ijF8jxOYvm
Nsgxis2bkWugnxIgfYjvjsLgiYFSbQVP19LtsuNeWp7alfSCfLazoPnk2lsByHNB
Q5JjZjnmOET1AafDaKI2roay0U/RIFiYanA0bxZxM3lmsXGPbSOEWQUFArlltMAp
HYuZMQswEfNXUkj/SaTDMj5YNDN4DCqIchV/C2pkRN8NzQRDUm/f1zkO4z11YENF
OQ7vam82kVOEWSevAXeYGrS4/VR02CujvRnJr0mBduSmQJrz5JvacdUK
-----END CERTIFICATE-----