This article describes how to set up Web server farms that contain multiple Microsoft Internet Information Services (IIS) Web servers with the same certificate. When you do this, communications between the Web client computers and servers are secured by Secure Sockets Layer (SSL).
MORE INFORMATION
How to obtain and install a Web server certificate for the first Web server
To perform load balancing of a Web server farm with a single certificate in IIS 6.0 or in IIS 5.0, follow these steps:- Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager or Internet Information Services (IIS) Manager.
- Expand your server name, right-click the Web site, and then click Properties.
- Click the Directory Security tab.
- Click Server Certificate.
- After the Web Server Certificate Wizard starts, click Next.
- On the Server Certificate page, click the method that you want to use to assign the site a new certificate, for example, click Create a new certificate.
- On the Delayed or Immediate Request page, click one of the following options, and then click Next.
- If you have an online certificate server in your organization, click Send the request immediately to the online certification authority.
- If you have to send the request to a third-party provider or to a certification authority (CA) that is off the network, click Prepare the request now, but send it later. The procedure that is described in this article assumes that you click this option.
- On the Name and Security Settings page, type a name for the new certificate in the Name box, click 1024 in the Bit length box, and then click Next.
- On the Organization Information page, type the name of your organization in the Organization box, type the name of your organizational unit in the Organizational Unit box, and then click Next.
- On the Your Site's Common Name page, type the fully qualified domain name (FQDN) that users use to access the site in the Common name box, and then click Next.
Note If you use the server on the intranet only, you can use the NetBIOS name of the server. - On the Geographic Information or Geographical Information page, click your country in the Country/Region box, type the full name of your state or your province in the State/province box, type the full name of your city or your locality in the City/locality box, and then click Next.
- On the Certificate Request File Name page, type the complete path of the certificate request file or use the default certificate request, and then click Next.
- On the Request File Summary page, review the settings, and then click Next.
- On the Completing the Web Server Certificate Wizard page, click Finish.
- Retrieve the certificate request, and then either e-mail the request or use a floppy disk to deliver the request to your CA provider. The provider returns the signed certificate to you.
- Install the certificate on the Web server.
How to install a signed certificate
- Obtain and install a Web server certificate for the first Web server.
- Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager or Internet Information Services (IIS) Manager.
- Expand your server name, right-click the Web site, and then click Properties.
- On the Directory Security tab, click Server Certificate.
- After the Web Server Certificate Wizard starts, click Next.
- On the Pending Certificate Request page, click Process the pending request and install the certificate, and then clickNext.
- On the Process a Pending Request page, type the full path of the certificate in the Path and file name box, and then click Next.
- On the Certificate Summary page, review the settings in the certificate, and then click Next.
- On the Completing the Web Server Certificate Wizard page, click Finish.
- Click OK.
- Stop and restart the Web site.
How to export a private key
To export the key that you installed on the first Web server, follow these steps. This key is imported to other Web servers in the farm.- Click Start, click Run, type mmc, and then click OK.
- On the Console menu in IIS 5 or the File menu in IIS 6, click Add/Remove snap-in or Add/Remove Snap-in, and then click Add.
- Click Certificates, and then click Add.
- Click Computer account, and then click Next.
- Click Local computer (the computer this console is running on), and then click Finish.
- Click Close, and then click OK.
- In the left pane, expand Certificates, and then expand Personal.
- Click Certificates under Personal.
- Right-click the Web server certificate in the right pane, point to All Tasks, and then click Export.
- After the Certificate Export Wizard starts, click Next.
- On the Export Private Key page, click Yes, export the private key, and then click Next.
- On the Export File Format page, click to select the Include all certificates in the certification path if possible check box, and then click Next.
Note If you want to enable strong protection in IIS 5 for Microsoft Internet Explorer 5.0 or for Microsoft Windows NT 4.0 service packs, click to select the Enable strong protection check box. If you do not want to turn on strong protection in IIS 6, click to clear the Enable strong protection check box. - On the Password page, type a password in the Password box, retype the password in the Confirm password box, and then click Next.
- On the File to Export page, type the file name of the exported certificate in the File name box, and then click Next.
- On the Completing the Certificate Export Wizard page, click Finish.
How to import a certificate to the Personal store
After the certificate has been exported, copy the certificate to a location on another Web server in the load balanced server farm. You must import the certificate to the computer's Personal certificate store. To import the certificate to the computer's Personal certificate store, follow these steps:- Click Start, click Run, type mmc, and then click OK.
- On the Console menu in IIS 5 or the File menu in IIS 6, click Add/Remove snap-in or Add/Remove Snap-in, and then click Add.
- Click Certificates, and then click Add.
- Click Computer account, and then click Next.
- Click Local computer (the computer this console is running on), and then click Finish.
- Click Close, and then click OK.
- In the left pane, expand Certificates, and then expand Personal.
- Right-click Certificates under Personal, point to All Tasks, and then click Import.
- When the Certificate Import Wizard starts, click Next.
- On the File to Import page, type the complete path of the file in the File name box or click Browse to locate the file, and then click Next.
- On the Password page, type the password that is assigned to the certificate in the Password box, and then click Next.
- On the Certificate Store page, click Place all certificates in the following store, confirm that Personal is selected as the store, and then click Next.
- On the Completing the Certificate Import Wizard page, click Finish.
- Click OK.
How to assign the imported certificate to the Web site
To assign the imported certificate to the Web site, follow these steps:- Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager or Internet Information Services (IIS) Manager.
- Expand your server name, right-click the Web site, and then click Properties.
- On the Directory Security tab, click Server Certificate.
- After the Web Server Certificate Wizard starts, click Next.
- On the Server Certificate page, click Assign an existing certificate, and then click Next.
- On the Available Certificates page, click the certificate that you imported, and then click Next.
- On the Certificate Summary page, review the settings, and then click Next.
- On the Completing the Web Server Certificate Wizard page, click Finish.
- Click OK.
