IIS 10

Cloudflare Origin Server Certificate for IIS 10 Server on Windows Server 2016 to allow Full (strict) mode SSL/TLS encryption mode 8

 in Applications  tagged certificate / cloudflare / iis / IIS 10 / Origin Server / server by

Create a Certificate Request from your Windows Server

  1. Open Internet Information Services (IIS) Manager from the Windows Server 2016 through Control Panel -> Administrative Tools
  2. Select your server from the Connections and open Server Certificates
  1. From the Server Certificates Actions select Create Certificate Request
  1. Fill in the following form with your details: 
Common name: [your domain]
Organization: [your organization name]
etc.
  1. Set the settings for the Cryptographic service provider of the certificate, the bigger the length of the certificate the better the security but it makes the server slower.
  1. Specify the filename of the txt file where you will save the certificate request

Create the certificate from Cloudflare using your own certificate request that you created from your Windows Server

  1. Open your Cloudflare account, select your domain, open SSL/TLS tab and click on Origin Server in order to create the certificate
  1. Select the option ‘I have my own private key and CSR’ where you will Copy-Paste the certificate you saved on the txt file from your Windows Server, fill in the hostnames, select the expiration years and press Next
  1. Copy-Paste in PEM key format the certificate in a text file and save the file

Add the public certificate from Cloudflare at your Windows Server

  1. Copy the file with the PEM certificate from Cloudflare at your Windows Server
  2. Select ‘Complete Certificate Request’ from the IIS Manager Server Certificates Actions
  1. Select the PEM certificate you copied at the server and add a friendly name (e.g. the domain it covers and the expiration date of it):
  1. The certificate will appear at the list of the Server Certificates with the Friendly name you added at the form before

Import Cloudflare Origin CA root certificate at your Windows server

  1. Copy the Cloudflare Origin CA — RSA Root certificate from Cloudflare website, save to a file and transfer it to your Windows Server
  2. Open the Certificates Microsoft Management Console (MMC) snap-in by typing mmc.exe at the command prompt (or at the run dialog that you can open by pressing the buttons Win+R)
  3. On the File menu, select Add/Remove Snap-in
  1. In the Add or Remove Snap-ins dialog box, select Certificates snap-in in the Available snap-ins list, click Add, and then select OK
  1. In the Certificates snap-in dialog-box, select Computer account, and then select Next
  1. In the Select computer dialog box, click on Finish
  1. In the Add or Remove Snap-ins dialog box, select OK
  1. In the Certificates MMC snap-in, expand Certificates, right-click Intermediate Certification Authorities, point to All Tasks, and then select Import
  1. In the Certificate Import Wizard, select Next
  1. In the File to Import page, select the file with the Cloudflare origin CA root certificate you saved before, and then select Next
  1. Select Next at the Certificate Import Wizard
  1. Select Finish at the Certificate Import Wizard
  1. The certificate will appear at the Certificates list

Use the newly created server origin certificate from Cloudflare for your website

  1. Select Bindings from the IIS Manager Web Site Actions
  1. Select the https binding and click Edit. If you do not have an https binding, press Add... to create one like in the second screen down
  1. At the SSL certificate dropdown list Select the new certificate and press OK

Force your website domain to pass through Cloudflare

  1. Open your Cloudflare account, select your domain, go to DNS option and change the Proxy status for your website from DNS only to Proxied by click it
  1. Enable Cloudflare full (strict) SSL TLS encryption mode in the SSL/TLS tab