Step 3: Configure the web server - AWS CloudHSM

Step 3: Configure the web server

Update your IIS website's configuration to use the HTTPS certificate that you created at the end of the previous step. This will finish setting up your Windows web server software (IIS) for SSL/TLS offload with AWS CloudHSM.

If you used a self-signed certificate to sign your CSR, you must first import the self-signed certificate into the Windows Trusted Root Certification Authorities.

To import your self-signed certificate into the Windows Trusted Root Certification Authorities
  1. If you haven't already done so, connect to your Windows server. For more information, see Connect to Your Instance in the Amazon EC2 User Guide for Windows Instances.

  2. Copy your self-signed certificate to your Windows server.

  3. On your Windows Server, open the Control Panel.

  4. For Search Control Panel, type certificates. Then choose Manage computer certificates.

  5. In the Certificates - Local Computer window, double-click Trusted Root Certification Authorities.

  6. Right-click on Certificates and then choose All Tasks, Import.

  7. In the Certificate Import Wizard, choose Next.

  8. Choose Browse, then find and select your self-signed certificate. If you created your self-signed certificate by following the instructions in the previous step of this tutorial, your self-signed certificate is named SelfSignedCA.crt. Choose Open.

  9. Choose Next.

  10. For Certificate Store, choose Place all certificates in the following store. Then ensure that Trusted Root Certification Authorities is selected for Certificate store.

  11. Choose Next and then choose Finish.

To update the IIS website's configuration
  1. If you haven't already done so, connect to your Windows server. For more information, see Connect to Your Instance in the Amazon EC2 User Guide for Windows Instances.

  2. Start the AWS CloudHSM client daemon.

  3. Copy your web server's signed certificate—the one that you created at the end of this tutorial's previous step—to your Windows server.

  4. On your Windows Server, use the Windows certreq command to accept the signed certificate, as in the following example. Replace IISCert.crt with the name of the file that contains your web server's signed certificate.

    C:\>certreq -accept IISCert.crt SDK Version: 2.03
  5. On your Windows server, start Server Manager.

  6. In the Server Manager dashboard, in the top right corner, choose Tools, Internet Information Services (IIS) Manager.

  7. In the Internet Information Services (IIS) Manager window, double-click your server name. Then double-click Sites. Select your website.

  8. Select SSL Settings. Then, on the right side of the window, choose Bindings.

  9. In the Site Bindings window, choose Add.

  10. For Type, choose https. For SSL certificate, choose the HTTPS certificate that you created at the end of this tutorial's previous step.

    Note

    If you encounter an error during this certificate binding, restart your server and retry this step.

  11. Choose OK.

After you update your website's configuration, go to Step 4: Enable HTTPS traffic and verify the certificate.