SSL Hell - Multiple web servers in a cluster

Steve Suhr ,

I was following the instructions that GoDaddy provided to install an new SSL cert on IIS6. These instructions cover how to get up and running on one web server, but they don't detail how to export the cert to other web servers. The site I was working on had several in a cluster.


So I thought I'd detail what worked for me. The trick is to export the cert to a .pfx file. Note: the steps below are intended to be followed after you've already set up the certificate on the first web server.

To do this, first start with the certifcates snap-in all set up. GoDaddy's instructions for this are pasted below:

  • Click the Start menu and click Run.... Type mmc in the Run window and click OK to start the Microsoft Management Console (MMC).
  • In the Management Console, select File then Add/Remove Snap In.
  • In the Add or Remove Snap-ins dialog, click the Add button and then select Certificates.
  • Choose Computer Account then click Next.
  • Choose Local Computer, then click Finish.
  • Close the Add or Remove Snap-ins dialog and click OK to return to the main MMC window.

Now you're ready to export:
  • Browse to Personal -> Certificates.
  • Right click the certificate you need to export in the right hand window and select "All Tasks" -> Export ...
  • Click Next on the first meaningless page of the wizard
  • Select "Yes, export the private key" and click Next
  • Leave the default selected (just "enable strong protection" checked) and click Next
  • type in some password that you won't forget and click Next
  • Browse to a location to export and click Next
  • Click Finish
It is important that you do specify a password for everything to go smoothly. Now for the importing:
  • Copy the .pfx file to an additional web server
  • get the certificates snap-in up on the new server (same as instructions above)
  • Under Personal -> Certificates right click the folder and select "All Tasks" -> Import ...
  • browse to the pfx file (will need to change the "File of Type" drop down in order to see it)
  • click Next through the wizard, leaving the other defaults.
  • Don't forget to import the intermediate certificate! That is the same as the first web server.
That is it. Now in IIS you can go specify that cert. You won't be responding to a CSR (certificate signing request) like the first time. You'll just be choosing an existing certificate.

0 comments: (+add yours?)

Post a Comment

Subscribe to: Post Comments (Atom)