The system administrator can replace an expired certificate or a self-signed certificate with one from a certificate authority to ensure security in a distributed deployment environment.

About this task

You can use a Subject Alternative Name (SAN) certificate on multiple machines. Import the certificate to the trusted root certificate store of all machines on which you installed the Website Component and Manager Service (the IIS machines) during the IaaS installation.


  1. Obtain a certificate from a trusted certificate authority.
  2. Open the Internet Information Services (IIS) Manager.
  3. Double-click Server Certificates from Features View.
  4. Click Import in the Actions pane.
    1. Enter a file name in the Certificate file text box, or click the browse button (…), to navigate to the name of a file where the exported certificate is stored.
    2. Enter a password in the Password text box if the certificate was exported with a password.
    3. Select Mark this key as exportable.
  5. Click OK.
  6. Click on the imported certificate and select View.
  7. Verify that the certificate and its chain is trusted.

    If the certificate is untrusted, you see the message, This CA root certificate is not trusted.


    You must resolve the trust issue before proceeding with the installation. If you continue, your deployment fails.

  8. Update IIS bindings.
    1. Select the site that hosts the component Web site and model manager.
    2. Click Bindings in the Action pane.
    3. Click Edit on the https (443) in the Site Bindings dialog box.
    4. Change the SSL certificate to the newly imported one.
  9. Restart IIS or open an elevated command prompt window and type iisreset.