Skip to content

Microsoft IIS

Tip

Before proceeding, verify that the machine is already created in Certificate Manager - SaaS. Also, ensure that you’ve completed the prerequisite configuration steps for the Microsoft IIS machine.

  1. In the Certificate Manager - SaaS toolbar, click Machines.
  2. Click the checkbox next to the Microsoft IIS machine that you want to provision a certificate to.
  3. Click Provision a certificate. The Provision a certificate modal opens.

  4. From the Choose a certificate from the inventory field, begin typing the certificate name you want to provision. Click the certificate when you see it listed.

    Verify that you've selected the correct certificate by reviewing the Subject DN, Validity, and Fingerprint.

  5. From the CAPI Store drop down, select the certificate store you want the certificate installed in. The Web Hosting store is recommended for certificates used by IIS.

  6. Enter a Friendly Name for this certificate. The certificate will appear with this name when used in IIS.

  7. (Optional) If you want to bind the certificate to the IIS website, toggle the Bind Certificate to IIS Web Site slider to the on position. In the IIS Web Site Name field, enter the site from your IIS server that you want to provision the certificate to.

    1. If you want Certificate Manager - SaaS to create a new binding if a matching binding isn't found, click the Create Binding if not found slider.

      What happens if I don't choose this and the binding doesn't exist?

      If the specified binding doesn't exist and you've told Certificate Manager - SaaS not to create it, the certificate will be added to the CAPI store, and provisioning will result in an error.

    2. In the Binding IP Address field, enter an IP address that is bound to Windows. The certificate will be available only for the IP address you enter here. Leave the field empty if you want the certificate to be available an all of the Windows server's IP addresses.

    3. In the Binding Port, enter a port number to add to the binding.
    4. In the Binding Hostname, enter a hostname to add to the binding if you want the binding to use Server Name Indication (SNI).
    5. Enable the Restart the IIS Web Site instance toggle to restart the IIS web site automatically. Otherwise, restart it manually before using the certificate.

  8. If you don't want the certificate to be pushed when you save, toggle the Push upon saving slider to No.

  9. Click Save.

    Want to schedule your provisions?

    Schedule your provisions daily, weekly, or monthly. Learn more

    Are you requiring strict enforcement of PowerShell script signing?

    The Microsoft IIS provisioning process uses PowerShell over WinRM to install certificates on the Windows machine. Certificate Manager - SaaS PowerShell scripts are signed using Venafi's DigiCert CodeSigning certificate. If your organization enforces strict signing requirements to execute PowerShell scripts, ensure Venafi's CodeSigning certificate is included of the Trusted Publishers location on the machine's CAPI store.

    Typically, trusted publisher certificates are managed and distributed via Group Policy by your Active Directory administrators.

    You can find the certificate in PEM format for your convenience here:

    -----BEGIN CERTIFICATE-----
MIIHeTCCBWGgAwIBAgIQD5K9ewtirvrfYeVIO+QHIDANBgkqhkiG9w0BAQsFADBp
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT
OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0
IDIwMjEgQ0ExMB4XDTI1MTAyMDAwMDAwMFoXDTI2MTAxOTIzNTk1OVowgYAxCzAJ
BgNVBAYTAklMMRQwEgYDVQQHEwtQZXRhaCBUaWt2YTEfMB0GA1UEChMWQ3liZXJB
cmsgU29mdHdhcmUgTHRkLjEZMBcGA1UECxMQRW5naW5lZXJpbmcgVmFhUzEfMB0G
A1UEAxMWQ3liZXJBcmsgU29mdHdhcmUgTHRkLjCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBAOIAHCC0hdOU4hMlqUKgg+WrOJ64nUVg1z14D2Tw2yOc0VUj
2mdJlQ2prpuPkk7eQ/n8HJdNEDtz9a0ZsoSe6pTBStajjcuQ90vHc5PkZgUFfqmA
DUp5HYjzafy7WQg5sDElIuLl6dGkhaGTTVN7ppBTK5b39/OQcDap4+y65jgfrNxe
4kwcWb4+9iBEEgL6fM3l83/XKSxDlpSv9vgPUoKOIRImD2V11hSZ3dQcdigTOS5k
qUiFYN1wJ9aJEmUldy9aV6QBs/BBxTO98RpItLcB5nelSz+3sLpEABuAZoxOz2fV
EHdRG8BfIcfa+9xR440oyx9q55m92tjAdzIKHcje2ihEQ9ne4T7Ru8Wim/gyBCrm
OoXN19B95WK9eh7Ry+UD+tlWaMVUaIKq34lXgKon4pazTvmOV6AoUToMsYNcbPj8
xcp1AnKnMnKSxsQDPE/ltQOGDkbJS3Pw27SMZn424FhLq/aUb0W+rIvzE+nBal8+
PTND2x2ioQ0IDpnXqPofZFb2Ug3vsFeoTgfeU5694/BzQijsI6vLbdgw+j/0T9YK
iOleajjnyTOSxnKbMPksCShCM049+S5nrf58MRp04RIBXtOyvE5OZeDMiSQSDJs6
GDZv8ZuIXgd5xWEgbtPZa8LmcH5BggEETDGFQvAGXNFWS6qfKOWUA66RAM/BAgMB
AAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNV
HQ4EFgQU9mdEHZSW9O1DrKY6HJ+xhh1sRAMwPgYDVR0gBDcwNTAzBgZngQwBBAEw
KTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1Ud
DwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOg
UaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRD
b2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDov
L2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdS
U0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0
dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVT
aWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZI
hvcNAQELBQADggIBAJsLHgoTvlHafPU8cbyLtV6+yp6a+2Ddk6ZohJVIq1syn+d6
zr+4Bsd59Dmtdu4SVx7HGkminNhBslheXBUHy8tt/2VWKV1LJ314hziO/24Fpzmu
msd7DzVRXSsh5Y9/xp3CWNH1327vhIEo7hawm1cE62vUW0ZHDEuF3kGzlVubGCTK
OYZB+sBD2qMkADcHJ23/M6AYEp5Sxhyn+YcHejw9MArBde+hqI6L4e9AsNFuul+5
Il79suYtn9BHdpM5Y4Ftm3pVzE5BBbvptFwHz0rLzOPpCQVawohVnBRilNBfxUdY
+30Kxvcygrom0HqsH1LEbwFHwG3IU7VqOjwWCoLxOPFPj99XQ/DVPG6bvpymFtiB
twY40mAV4mZHbYGyKMtGLSoKnjmwm+QsORD+rEs+M6qNZdz2ywqdNOrKc8/WjUaq
TTFsjd/40KAUTDveqp9KS3OAaiqyxvRKlaFUgW6IxWRf2BzUtFi1EeJ9I3jSRi93
XuFYnutB9ngiC6mXUh9cg1ogMH7ZzWFzWDIp+YAwIbnnj/8tof3EH0Cry3869Syi
K6TOacAdQhB/oU+5z1KjnOjz/pkjOr7E05eO7+dioy5he54wH7bqHmYbJSrxrXcG
2p04bRPUimKrNqaJywzTXHABzs1AOKWiNcWK6prv0pU+Myi9Z90VWLLflPlz
-----END CERTIFICATE-----