I wanted to ask what the proper procedure for installing an SSL certificate onto two servers running IIS6 that are in an NLB load balancing configuration.
Yesterday I installed the certificates according to what I believed to be the correct procedure. Shortly after this I was getting cert errors on my iphone (but nowhere else – chrome, IE, firefox were all fine)
Since then the site's SSL is not generating errors on my iphone either (Safari, chrome) but I don't feel confident that I've done this properly…
-
In IIS 6 request the certificate using the update option.
-
Use the resulting CSR to get the certificates (from godaddy)
Root Cert….
-
Using the acquired certificates, complete the pending request in IIS6.
-
Still in IIS6 export the cert.
-
On the other server – Import the cert into the 'Personal Certificates' store in the certificates snap in in MMC.
-
In IIS6 (still other server) choose the 'change certificate' option, and choose the newly imported certificate.
Intermediate cert…
-
Import the intermediate cert into the "Intermediate Certification Authority"
-
Here's where I'm unsure if I've done the right thing – I didn't export the imported intermediate certificate and then import it on the other server. Rather – I simply imported the same file again. I did this because I seem to remember learning in the past that the export-import did not need to be done for the Intermediate certificate. (Also, to this day I still don't fully understand what the purpose/point of the Intermediate certificate is. I believe it is provided to support very old browsers?)
So my question is – Have I done this right? Is this the valid procedure for updating SSL on load balanced servers running IIS6?
Edit: Upon further investigation (with the help of – https://www.ssllabs.com/ssltest/) I have discovered that the Intermediate certs weren't present on the first server (I could have swore I installed them but obviously I didn't) I have now installed them and my site passes the "Additional certificates" test for each server.
Best Answer
The intermediate cert does not need export/import, only import (it does not contain a private key)
You did everything right, as long as you have exported the cert on ServerA WITH the private key, and imported it to ServerB WITH the private key. But this seems to be the case as IIS accepted the certificate - all good.