Install an SSL certificate on IIS 10 server

 

 Manually install an SSL certificate on IIS 10 server

 Convert your .crt file to a .cer file

  1. Locate your downloaded .crt file, and double-click to open it.
  2. Select the Details tab, and then the Copy to File button.
  3. Select Next in the Certificate Wizard.
  4. Select Base-64 encoded X.509(.CER) and then select Next.
  5. Select Browse, locate where you want to save your .CER file, and type in a name for your certificate.
  6. Select Next and then Finished.

Copy your certificate files onto the server

  1. Find the directory on your server where certificate and key files are stored, then upload your intermediate certificate (gd_iis_intermediates.p7b or similar) and primary certificate (.cer file that you just converted) into that folder.

Add a Certificate Snap-in to the Microsoft Management Console (MMC)

  1. Click on your Start Menu, then click Run.
  2. In the prompt, type mmc and click OK.
  3. Click File, then click Add/Remove Snap-in.
  4. On the new window, click the Add button.
  5. On the new window, select Certificates and click Add.
  6. Select Computer account for the snap-in and click Next.
  7. Click Local computer and click Finish.
  8. Click Close on the Add Standalone Snap-in window.
  9. Click OK on the Add/Remove Snap-in window.

Import the Intermediate SSL Certificate

  1. In the MCC Console, click  to expand Certificates (Local Computer).
  2. Right click on the Intermediate Certification Authorities folder, hover over All Tasks and click Import.
  3. On the new window, click Next.
  4. Click Browse, find your gd_iis_intermediates.p7b intermediate certificate file and click Open.
  5. Click Next, verify that the certificate information is proper and click Finish.
  6. Close the the import was successful notification.

Install your SSL certificate

  1. Click on your Start Menu, then click Run.
  2. In the prompt, type inetmgr and click OK to launch the Internet Information Services (IIS) Manager.
  3. Under the Connections panel on the left, click on your Server Name.
  4. In the main panel under the IIS section, double click on Server Certificates.
  5. Under the Actions panel on the right, click Complete Certificate Request.
  6. On the new window, click ... to browse, find your previously uploaded primary certificate file and click Open.
  7. Add a Friendly name to easily identify this certificate in the future.
  8. In the certificate store option, select Web Hosting and click OK.

Bind the SSL certificate

  1. Under the Connections panel on the left, click  to expand the Sites folder.
  2. Click the Site Name that you plan to install the SSL certificate onto.
  3. Under the Actions panel on the right, find the Edit Site section and click Bindings.
  4. On the new window, click Add and fill out the following information:
    • Type: select https.
    • IP Address: select All Unassigned.
    • Port: type in 443.
    • Host name: leave this empty.
    • SSL Certificate: select your recently installed SSL.
  5. Click OK to confirm, then Close for the Site Bindings window.

Restart IIS

  1. Under the Actions panel on the right, find the Manage Website section and click Restart.

 

 

SOLUTION TYPE: 2

 

Add a Certificate Snap-in to the Microsoft Management Console (MMC)

  1. Click on your Start Menu, then click Run.
  2. In the prompt, type mmc and click OK.
  3. Click File, then click Add/Remove Snap-in.
  4. On the new window, click the Add button.
  5. On the new window, select Certificates and click Add.
  6. Select Computer account for the snap-in and click Next.
  7. Click Local computer and click Finish.
  8. Click Close on the Add Standalone Snap-in window.
  9. Click OK on the Add/Remove Snap-in window.

Import the Intermediate SSL Certificate

  1. In the MCC Console, click  to expand Certificates (Local Computer).
  2. Right click on the Personal folder, hover over All Tasks and click Import.
  3. On the new window, click Next.
  4. Click Browse, find your .pfx certificate file and click Open.
  5. Click Next, verify that the certificate information is proper and click Finish.
  6. Close the the import was successful notification.

Install your SSL certificate

  1. Click on your Start Menu, then click Run.
  2. In the prompt, type inetmgr and click OK to launch the Internet Information Services (IIS) Manager.
  3. Under the Connections panel on the left, click on your Server Name.
  4. In the main panel under the IIS section, double click on Server Certificates.
  5. Under the Actions panel on the right, click Complete Certificate Request.
  6. On the new window, click ... to browse, find your previously uploaded primary certificate file and click Open.
  7. Add a Friendly name to easily identify this certificate in the future.
  8. In the certificate store option, select Personal and click OK.

Bind the SSL certificate

  1. Under the Connections panel on the left, click  to expand the Sites folder.
  2. Click the Site Name that you plan to install the SSL certificate onto.
  3. Under the Actions panel on the right, find the Edit Site section and click Bindings.
  4. On the new window, click Add and fill out the following information:
    • Type: select https.
    • IP Address: select All Unassigned.
    • Port: type in 443.
    • Host name: leave this empty.
    • SSL Certificate: select your recently installed SSL.
  5. Click OK to confirm, then Close for the Site Bindings window.

Restart IIS

  1. Under the Actions panel on the right, find the Manage Website section and click Restart.

 

 

 

 The request is not supported (0x80070032)

IIS uses bindings to determine where to redirect requests. These bindings can be secured (https – mostly on port 443) or unsecured (http – mostly on 80).

 

In a case I worked on, I came across to this error while trying to add an https binding: The request is not supported (Exception from HRESULT: 0x80070032).




 

The PowerShell command below gave an error too

 

 

netsh http add sslcert ipport=[IP:port] appid="[APP ID]" 
certhash=[HASH] certstorename=MY

 

 

SSL Certificate add failed, Error: 50
The request is not supported



 

 

 

Solution

 

Since both secure binding and Windows Update were failing, the issue seemed to be related to TLS protocol settings.

 

If you are troubleshooting a similar issue, make sure TLS protocols and encryption algorithms are enabled. Additionally, check if secure cipher suites are enabled. In our case, there was only one cipher suite defined. This was the reason of both binding and Windows Update issues.

 

We followed the steps below to use default cipher suite list:

  1. Go to “Start > Run“. Enter: gpedit.msc
  2. In the left pane, expand “Computer Configuration > Administrative Templates > Network > SSL Configuration Settings
  3. In the right pane, right click “SSL Cipher Suite Order” and choose “Edit
  4. Save the text inside “SSL Chiper Suite” field to a Notepad for backup
  5. Select “Not Configured
  6. Click “OK
  7. Restart the server (gpupdate doesn’t enforce this setting. You should restart the server)


Note: If the setting is already "Not Configured", change it to "Enabled" and restart the server. It should work. Later, you can change it back to "Not Configured" and restart again.

 

                                                        Solutions: 2

Download and run IIS Crypto. Make sure TLS protocols and encryption algorithms are enabled.

Additionally, check if secure cipher suites are enabled. In the server I troubleshot, there was only one cipher suite active. This caused the both binding and Windows Update issues. We followed the steps below to use default cipher suite list in the server which solved the issue:

1.     Go to “Start > Run“. Enter: gpedit.msc

2.     In the left pane, expand “Computer Configuration > Administrative Templates > Network > SSL Configuration Settings

3.     In the right pane, right click “SSL Cipher Suite Order” and choose “Edit

4.     Save the text inside “SSL Chiper Suite” field to a Notepad for backup

5.     Select “Not Configured

6.     Click “OK

7.     Restart the server (gpupdate doesn’t enforce this setting. You should restart the server)

No comments:

Post a Comment