How do I install a SSL certificate on a Windows Server/IIS 10 web server?

Hello,

Our organization is running an instance of REDCap (an open-source database platform) on a Windows Server 2022 VM with IIS 10. The REDCap configuration check is indicating "recommended that you use SSL (i.e. https) on your web server when hosting REDCap. If your server does not already have an SSL certificate, you will need to obtain one."

Can someone help explain the process by which I can obtain an SSL certificate and install it on our server?

Thank you very much!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: (this is a web-based database that is only available on our local network)

I ran this command:

It produced this output:

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2022

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Don't know

1 Like

Is the domain in the public DNS? If not, you cannot get a certificate using Let's Encrypt (or any other publicly trusted CA for that matter).

3 Likes

Hello,

Thanks very much for your note. No, it is not in the public DNS. It is only visible/available from computers on our LAN. That said, do you know how I would go about obtaining/installing a certificate that would allow https connections to that server?

Much obliged!

1 Like

As said before: you can't obtain a certificate from a publicly trusted CA for a local only hostname. You can however use e.g. a self-signed (not trusted by default) certificate or set up your own private CA. There are multiple guides to do so on the internet.

I'm a Linux only guy, so me personally wouldn't know. Perhaps someone else might, but you'd need a certificate first obviously.

1 Like

Thank you very much. In the meantime, I found a thread on StackExchange that seems to explain how to do it.

Many thanks!

1 Like

If your clients are all joined to your Windows AD domain [assuming you have an AD domain], then they would trust any cert issued by your domain CA.

If you have clients that are NOT joined to your domain [or you don't have an AD domain], then they would have to either:

  • be provided with a cert from a trusted CA
  • manually install/trust the CA cert that signed the cert you created
4 Likes

Personally I'd suggest just using a name that's valid in your public DNS and getting a real trusted certificate. You can use DNS domain validation instead of HTTP domain validation so that you don't need to expose the server to the public internet (as required by HTTP validation). Domain validation is the process whereby the Certificate Authority (Let's Encrypt) checks that you control the domain in question before issuing a cert.

As the developer I'm biased but I'd suggest firing up https://certifytheweb.com and giving that a spin. There's a bunch of different DNS providers supported: DNS Validation (dns-01) | Certify The Web Docs

The general process is to set your IIS bindings to include the correct hostname your certificate is going to be for (e.g. redcap.whatever.yourdomain.com) then in the app:

  • choose New Certificate and select your IIS Site, the hostname(s) will be listed for inclusion in the cert
  • on the Authorization tab setup your DNS validation credentials (or try it out temporarily with the Manual DNS option).
  • click Request Certificate to start the process, once complete you will have a certificate automatically applied to the IIS bindings matching the hostname(s) on the cert.
4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.