Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Setting up SSL on IIS

Posted on 2015-02-05
Medium Priority
Last Modified: 2015-02-12
one of my clients has been working with an ecommerce integration group to get their website up and running which is
already working as of now but now they wanted to use SSL for the website so they want me to handle the install of the certificate on the webserver.  I'm trying to get an overall understanding of all the components that go into doing this.
I already am in the process of downloading the intermediate certificate from godaddy and it looks pretty straightforward per their instructions.  They also wanted me to open up port 443 on the firewall which i did already but when i tested the port using it reported that the connection was refused.  Does there have to be another step for 443 traffic to be accepted on the webserver?  Port 80 i was able to successfully test as not being blocked.  What i was really confused about was that they said i had to create another name for the website  to handle the SSL.  In other words, if the current website is accessible as they wanted me to use when i applied for the certificate.  Then they said i would have to add a dns record for that pointing to the same public ip as  They said they could add  the record to their local overrides but preferred not to unless i really had problems with the dns.  Thanks.
Question by:dankyle67
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 17

Accepted Solution

OriNetworks earned 2000 total points
ID: 40591961
Wow I think I'm just as lost as you... I will try to explain using IIS7 but if you have 6 it should be easy to follow or search for the same directions.

Traditionally enabling SSL is pretty simple.
1. Get a cert for the name or names users will be using to access your site (e.g. If you want to enable multiple names such as,,etc a UCC or wildcard cert is required to list all possible names users will access your site with
2. In IIS, install the server certificate by opening the IIS manager, click on the server, then click Certificates. Import your certificate, or create a new certificate request to submit to your SSL provider. You probably want Import.
3. Add bindings to your website. Bindings tell your site which ports and names to listen on. Expand sites, right-click and select Edit Bindings.
4. Click Add, select https as the type, the ip address it will listen on (or leave All Unassigned), port 443, and select the certificate you just installed. This will use whatever names you registered when creating the ssl cert.

Browse to https://internal_server_ip to make sure you can get to the site using SSL. This will show a certificate warning because you are using an internal ip rather than the name you created the certificate for but that's ok for now. If this does not work, you have a server configuration problem, maybe windows firewall is enabled or a different firewall software directly on the host is blocking the connection.

5. Setup your firewall to allow inbound 443 to be directed to your internal server ip address.

If you still have issues, you can try going to https://[external ip address]  by using external ip address you will get a warning about invalid cert but it will verify your server is now exposed to the internet to handle requests

If it works using ip address but not domain, you have a dns issue. if https://external_ip does not work, your firewall is not configured correctly.

Author Comment

ID: 40592022
Thanks for the good instructions so far.  I actually went thru most of the process with godaddy support and it was really confusing at first since the generating,installing and requesting of certificates all look similar at first glance but as i went thru it i got a better handle on it.  I had to delete the original csr on iis and generated a new one which i then pasted into the godaddy site so it would generate a request again.  I had to do all this because i found out since the webserver is running on 2003 server, it would require a hotfix for sha2.   However if we selected the 1yr subscription, we could select sha2 as algorithm and would not have to worry about hotfix.  We plan on moving all this to a new 2012 server in about 2mos so at least I have some understanding of the process when having to do the certificate drill again.  I will test if i can access using https now and get back to you.

Author Comment

ID: 40593486
ok i tested it by trying to get to site externally using https://public ip and it came back as you mentioned with the site warning since i'm not using the name of the certificate so this looks good so far.  Im waiting now for the ecommerce integration group to add the host record of our internal server name to their end on dns so that site can be accessed using the which matches the certificate name.  This is the part i don't understand.  Why did they ask us to make the name different for the internal server when applying for the certificate?  In other words, prior to the ssl certificate, a person could access using http and if they wanted to use https of course they would use the same name except now they would use but i'm assuming this what the ecommerce group is working on now with the different name.  They are probably adding host to their dns so that it has same ip as
LVL 17

Expert Comment

ID: 40594466
As an added note, you may want to check IIS to make sure Require SSL is selected for at minimum the ecommerce site or virtual directory. This will prevent users from accidently putting sensitive information into an unencrypted form. It should also be required for any portion of the site where the user may enter login credentials.

I don't know the answer to that but it should be a simple question to ask them and you should ask them to understand why the directed to do so anyway. One example might be if you are trying to serve a mix of encrypted content and unencrypted content under the same site, which is a bad practice anyway, using a different subdomain for the encrypted site will allow you to setup a different site in IIS specifically for that binding e.g. (, that was the server wont try to run everything through SSL. SSL does have a slight performance impact but its only noticeable with many users.

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine a situation that you have installed SSL ( Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : All lightning effects with instructions : http://www.mediaf…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question