Exporting the IIS SSL Certificate

Overview

This document describes how to export the SSL Certificate from a Microsoft IIS server. If the Palo Alto Networks device will be inspecting incoming traffic to a Microsoft IIS server (including the front end servers for Exchange 2003 OWA or Exchange 2007 CAS) using SSL, the server's certificate and key can be loaded for inbound SSL inspection. The following steps outline what needs to be done to export the existing IIS SSL server certificate and key.

Steps

Exporting the SSL Server Certificates and Key

1. Using the Internet Information Server (IIS) Manager MMC (Microsoft Management Console) plug in, connect to the desired server.  The default location for the plug in is Start > Programs > Administrative tools > Internet Information (IIS) Manager.
   
2. Select the Properties of the Default Web Site instance.
   Note: If a different website other than the default for the SSL service is used, select that instance instead.
   
3. Launch the Web Server Certificate Wizard by selecting the Directory Security tab from the Properties window and pressing the Server Certificate button under the Secure communications section.
   
4. Select Next from the Welcome page. Then, select "Export the current certificate to a .pfx file" and click Next.
   

After the export occurs, the .pfx file can be directly imported into the Device > Certificate page on the web GUI.

For more information on configuring SSL Decryption review the following document: SSL Decryption Quick Reference - Resources

owner: jdelio