While I work for a Microsoft SPLA partner I don’t have very many Windows based websites hosted on my equipment. Not because of any prejudice against IIS, but because the majority of my customers come from environments that already ran some manner of Unix, and free is cheaper than our SPLA monthly costs. So it’s less an issue of economics than it is of convenience. Anyway, after operating this Windows 2008 server for a few months I was finally faced with the prospect of creating my first SSL CSR and I was surprised at how much more streamlined the process has become since Windows 2003. Windows 2000 wasn’t so bad, but 2003 was just…well, let’s just say I wasn’t impressed. In about 30 seconds I had my CSR created and I was contacting the Certificate Authority (CA) to get my CSR approved. Installing the actual Certificate is as easy as selecting a file and giving it a friendly name and adding it to the binding for the site.
It’s so easy that it’s not much worth a guide – basically you click on your server in IIS 7.0 manager and select the “Server Certificate” icon, you click on “Create Certificate Request” in the right pane and follow the prompts. Then, after it creates your CSR, you submit that to the CA and install the CRT that comes back. Then you bind it to the site, itself. Done. If you factor in the waiting it’s as easy to do in Windows 2008 as it is on any of my *nix boxes.
11 comments
Comments feed for this article
October 16, 2008 at 3:45 am
Wayne
Hi there,
I do not think I ca generate the CSR as I cannot find the CSR anywhere inside my server. I am using Windows Server 2008 as well.
With Windows 2003, I do not have the problem.
Would you please advise how to get the CSR usng Windows 2008? Where can I find the file?
October 16, 2008 at 8:08 am
dk
To generate the CSR you first open up IIS 7.0 manager and it will change the interface. Scroll on down until you see the “Server Certificates” icon and double click it. In the right-hand pane you will see some options, one of which is “Create Certificate Request,” then you follow the prompts. As it completes it will ask you where to install the CSR file. Because I have a policy for this, I always install them in an SSL directory in the user’s root directory. So if I had a site called http://www.mydomain.org I would have a directory in C:\web\mydomain\ssl\www.mydomain.csr.
You can actually put them anywhere you want so long as when you install your certificate you update bindings. Be aware that a CSR is not a valid SSL certificate. Once you create the CSR you must submit it to a Certificate Authority for approval at which point you will receive the CRT to install locally. Then you edit the bindings for your site and indicate which saved SSL certificate you want to use for that site.
November 26, 2008 at 5:26 pm
rfm
dk, what you say is correct and I have been able to generate a CSR very comfortably. However, we have eight web sites on the server, each with their own IP address. Six of these sites will require their own SSL certs. The create cert wizard does not give an option of which web site to generate each CSR on, so I’m in a quandry as how to proceed to generate separate CSRs for each discrete site. Any advice would be welcome.
November 26, 2008 at 5:46 pm
dk
This is done in the Server Manager. Open the IIS Manager and don’t yet choose anything from the left-hand pane. In the center pane scoll down until you see the “Server Certificate” icon in the IIS section. This is located down a little ways and where you generate your CSRs. After you create a CSR and have it signed by a Certificate Authority (CA) you must then go back into this same area and use the “Complete Certificate Request” to install the .crt. You’ll see a dialogue that asks you to save the file somewhere. During the CSR creation process you’ll see a dialogue asking you to fill in various fields and the field called “Common Name” is where you enter the fully qualified domain name of your site(FQDN). If you fail to do this your SSL cert will NEVER match up with the CSR – if you called your site “MyDomain Inc” in the “Common Name” field and your SSL was for http://www.mydomain.com the SSL will always bomb out. This is where you name your CSRs.
December 1, 2008 at 1:53 pm
rfm
Thanks for the info. I ran into problems when requesting the cert from Thawte. It seems that the CSR is not generated in the same manner as used to be in IIS5 and IIS6, so the cert could not be approved and issued. My only choice was to generated a dummy CSR off a W2k3 server in IIS6, get that cert approved and installed there, export to a pfx file, then import to the Windows 2008 server. It’s tedious but at least I can get the cert on the 2008 box.
December 16, 2008 at 2:01 pm
dxr8273
Hello,
I’m trying to get a cert from Entrust in order to install on my domain controller. I want to have LDAPS turned ON so that I can get my users to change their passwords through the ISA Server 2006 FBA. Do I need to add the IIS role to my DC in order to get it to generate a CSR that I can pass to Entrust? Is there any other way to get the DC to generate a CSR beside doing it through the IIS?
Thanks for your feedback.
December 16, 2008 at 2:09 pm
dxr8273
I see. Thanks a lot for your prompt feedback. I truly appreciate it.
Have a good day !
December 18, 2008 at 4:53 pm
dk
To the best of my knowledge the only means of generating the CSR is through the IIS manager.
January 19, 2009 at 6:32 pm
Harry
Several times now after windows updates, SSL no longer works in IE7 yest it does in Firefox. We can fix it by deleting the binding and then recreating it. Cannot seem to find anything on this issue. has anyone here?
January 20, 2009 at 10:50 am
dk
I have yet to run into that specific issue, actually, but I wonder why Firefox would accept the certificate where IE7 would fail. It may be useful to find out the process IE7 uses to perform the check and compare that to Firefox and previous versions of IE.
January 20, 2009 at 11:00 am
Harry
We figured it out. The certificate was initially imported by an administrative user. Not the administrator account itself. We deleted the cert and re-imported it with the administrator account and now the binding is maintained after a reboot.