Import and Assign StartSSL Certificates in Windows, Part 4 of 4.

Setup StartSSL Certificates:  Import and Assign StartSSL Certificates in Windows,  Part 4 of 4.

Last updated  March 2nd, 2014 by Steven Jordan

Takeaway:  This article introduces the Windows Certificate Store.  The Microsoft Management Console (MMC) Certificate Sanp-In imports the StartSSL certificate for use with any SSL application.    This is the forth part in a four-part series on how to use StartSSL certificates.

Additional StartSSL articles: 
1.  Sign-up:  Resister with StartSSL.
2.  Personal Certificates:  Back-up and authenticate to StartSSL with personal certificates.

3.  New Cert:  Generate the StartSSL certificate.
4.  Windows Certificate Management:  Import the StartSSL certificate into Windows.

Install the Certificate:

   There is a common misconception that IIS is responsible for the entire certificate management process.  Of course, you can continue to use the limited IIS certificate tools. 
Managing Certificates via IIS.
    However, you'll miss out on some great benefits:  Maintain private keys; deploy single certificates to multiple servers; use certificates for applications other that IIS (e.g., BranchCache, VPNs, Smartcard, etc...); and learn the foundation of Windows PKI.  Drop the IIS certificate tool and welcome the wold of the Windows Certificate Manager.

1.  Open the Certificate Snap-In:

   Import the PFX with the Windows Certificate Snap-In:  Click Start Run → type certsrv.msc.

   The MMC is an alternative method to access the Certificate Snap-In:  Start →  Run → type mmc

   From the MMC:  File → Add/ Remove Snap-In →find and click Certificates → click Add → choose to manage certificates for the Local Computer →click OK.
   The Local Computer Certificates Snap-In presents a logical view for all certificates associated with the computer.  Certificates in the Computer store are also accessible from the user certificate store (similar to Group Policy management).

2.  Start the Import Wizard.

   Managed certificates (i.e., those with private keys) are located in the Personal certificate store.  To import a PFX, expand the Personal folder →  right click on Certificates → click All Tasks → click Import.
 The Certificate Import Wizard begins.  From the Wizard, browse to the directory that contains the PFX file.  It's important to change the file type from X.509 Certificate to Personal Information Exchange:

   Click on the PFX file and click Open and click Next.

 3.  Private Key Protection.

   Type or paste the private key password in the appropriate field.  You may mark the key as exportable.  Check Include all extended properties.  Click Next.
 4.  Choose the Certificate Store Location.

Use the default location (i.e., Personal), and click Next and Finish.   

 The StartSSL certificate installation is complete.  The certificate works with any SSL enabled application.  The following example demonstrates how to use the certificate with IIS. 

Assign the StartSSL Certificate to an IIS Site:

1.  Open IIS.

Start → Administrative Tools → Internet Information Service (IIS) Manager.

2.  Edit site bindings.

From the IIS Manager, click the server name → expand the sites folder → select your web site → click on Bindings.
 3.  Assign the StartSSL certificate.

Check for a https binding.  Click on the Add button if there is no https binding.

If the https binding is listed,  highlight the https binding, and click Edit.

4.  Edit Site Bindings:

IP address
:  Add the site IP or choose all unassigned.
SSL Certificate
:  Choose your new StartSSL certificate.

Click OK. Your StartSSL certificate is now assigned to your website and accepts secure connections.


  StartSSL may not be the perfect fit for every situation.  For example, VeriSign is well known and may provide piece-of-mind to potential customers.  The VeriSign brand is worth the extra few hundred dollars when inferred trust translates to additional sales.

  Windows CA is a better choice for domain joined computer and users.  Windows CA falls short for hosting public facing sites for non-domain computers.  The Windows CA certificates can be imported into private trust stores -but the warnings and additional steps will scare end-users.

  StartSSL is best suited for web development and staging environments.  It's also a good choice for hosting public facing, and non-sales related, resources (e.g., email servers).  I encourage network administrators, developers, and technology enthusiasts to take advantage of this great service. 


Post a Comment

My Instagram