Using a Wildcard certificate on multiple Webservers
The following advice is from Microsoft's website:

In IIS 5.0 - to use the wildcard certificate you have just installed in the original server that made the certificate request - in other servers, you must:

  1. Export the certificate and private key from the original IIS server to a Personal Information Exchange - PKCS #12 (PFX) file
  2. Import the certificate and private key from the Personal Information Exchange - PKCS #12 (PFX) file - into the new server

In IIS 5.0, you can export the private key in PKCS #12 format (*.pfx), using the certificate export wizard.

  1. Start the Internet Information Service
  2. Display the properties of the Web site.
  3. Click the Direct Security tab.
  4. Click View Certificate button.
    Certificate is displayed.
  5. Click Details tab.
  6. Click Copy to File... button.
    Certificate Export Wizard starts.
  7. Click the Next button.
    Export Private Key page appears.
  8. Select Yes, export the private key, and click the Next button.
    Export File Format page appears.
  9. Select Personal Information Exchange - PKCS #12 (PFX)
  10. Select Include all certificates in the certification path if possible
    IMPORTANT: ensure all other check boxes are NOT checked (especially the one marked - Delete the private key if the export is successful),
    (if the private key is deleted from this server, SSL operations on this server will cease)
    and click the Next button.
  11. Password page appears.
    Enter the password if necessary, and click the Next button.
  12. File to Export page appears.
    Enter the file name, and click the Next button.
  13. Completing the Certificate Export Wizard page appears.
    Click the Finish button.
    The certificate is exported to the file, and "The export was successful" message appears.

To import a certificate from a pfx file, you will need the Microsoft Management Console (MMC) & the certificates snap-in
To add Local Computer Certificate Management to a new MMC console for a local computer

  1. Click Start, click Run, type mmc, and then click OK.
  2. On the Console menu, click Add/Remove Snap-in, and then click Add.
  3. Under Snap-in, select the Certificates snap-in and click on Add
  4. Select "this snap-in will always manage certificates for" Computer Account:
  5. Select "this snap-in will always manage" Local Computer (the computer this console is running on), and then click Finish.
  6. Choose "Close" in the "Available Snap-ins" window
  7. Click on OK in the Add/Remove Snap-in window

Now that you have access to the Certificates snap-in, you can import the server certificate into you computer's certificate store by following these steps:

  1. Open the Certificates (Local Computer) snap-in and navigate to Personal, and then Certificates.
  2. Right-click Certificates (or Personal if that option does not exist.)
  3. Choose All Tasks, and then click Import.
  4. When the wizard starts, click Next. Browse to the pfx file you created containing your server certificate and private key. Click Next.
  5. Enter the password you gave the pfx file when you created it. Be sure the Mark the key as exportable option is selected if you want to be able to export the key pair again from this computer. As an added security measure, you may want to leave this option unchecked to ensure that no one can make a backup of your private key.
  6. Click Next, and then choose the Certificate Store you want to save the certificate to. You should select Personal because it is a Web server certificate. If you included the certificates in the certification hierarchy, it will also be added to this store.
  7. Click Next. You should see a summary of screen showing what the wizard is about to do. If this information is correct, click Finish.
  8. You will now see the server certificate for your Web server in the list of Personal Certificates. It will be denoted by the common name of the server (found in the subject section of the certificate).

To enable Internet Information Services 5.0 to use the imported certificate (and the corresponding private key) perform the following steps:

  1. Open the Internet Services Manager (under Administrative Tools) and navigate to the Web site you want to enable secure communications (SSL/TLS) on.
  2. Right-click on the site and click Properties.
  3. You should now see the properties screen for the Web site. Click the Directory Security tab.
  4. Under the Secure Communications section, click Server Certificate.
  5. This will start the Web Site Certificate Wizard. Click Next.
  6. Choose the Assign an existing certificate option and click Next.
  7. You will now see a screen showing that contents of your computer's personal certificate store. Highlight your Web server certificate (denoted by the common name), and then click Next.
  8. You will now see a summary screen showing you all the details about the certificate you are installing. Be sure that this information is correct or you may have problems using SSL or TLS in HTTP communications.
  9. Click Next, and then click OK to exit the wizard.

You should now have an SSL/TLS-enabled Web server. Be sure to protect your pfx files from any unauthorised personnel.

Copyright © Trustis Limited 2010.  All Rights Reserved
This document is licensed for use only in conjunction with the use of Trustis Trust Services