Well, if you use a Microsoft IIS server for hosting your application, as an FTP server for file transfer, for testing, or for any reason. If you want to secure your web application and run the service over HTTPS protocol, then you must bind an x509 certificate, a digital certificate used to prove the identity that is commonly known as an SSL certificate. To do this, you should create a CSR (Certificate Signing Request). Submit the certificate to your CA (Certificate Authority). Get a certificate issued by your CA and bind the certificate to your web application or web service. If you are not aware of how to create a CSR in the IIS server, then this post is for you.
In this post, we have covered what is an SSL certificate, an IIS server, CSR (Certificate Signing Request), and a detailed step-by-step procedure to create a CSR in the IIS server.
SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the HTTPS protocol and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfers, and logins, and more recently, is becoming the norm when securing browser communications.
SSL Certificates bind together:
A domain name, server name, or hostname.
The company name of the website owner for which the certificate was issued.
The Certificate Authority issued and signed the certificate.
An SSL Certificate contains the following information:
The certificate holder’s name.
The certificate’s serial number and expiration date.
A copy of the certificate holder’s public key.
The digital signature of the CA.
IIS (Internet Information Services) is a web server software created by Microsoft. IIS Server is used for hosting websites and applications on the World Wide Web. IIS Server can be installed on all versions of the Windows operating system, from Windows NT to Windows 10 and Windows NT Server 4.0 to Windows Server 2021.
If you have an application hosted on an IIS webserver. The application runs only on HTTP protocol which is not secured. If you want to run the application on HTTPS instead of HTTP, the first thing you need is a digital certificate or SSL/TLS certificate for your application. Then there may be several questions coming to your mind. Where to get an SSL certificate, and What is the procedure to get the SSL certificate? Let us answer these questions.
You should get the SSL certificate from a Certificate Authority (CA). Please contact your Certificate Authority and share your requirements with them so that they can help you in acquiring a certificate for your application. There could be different types of Certificate Authorities in your organization. Please reach out to the correct Certificate Authority depending on your requirements.
Your CA will ask you to Create a CSR in the IIS Server for your application and share the CSR (Certificate Signing Request) with them so that they can issue the certificate for your CSR. Then you should bind that certificate to the application in the IIS webserver to enable HTTPS.
Note: You can’t use the CSR created on a different server; please ensure the CSR must be created on the same IIS server on which the application is hosted.
A Certificate Signing Request is a block of encoded text that contains information about the applicant and the public key that they are requesting to be signed. This encoded text is then submitted to a Certificate Authority, which will use their private key to sign the CSR and generate a signed certificate. The certificate can then be used to verify that the public key does, in fact, belong to the person or organization who claimed it.
CSRs are typically generated by web servers or other software that will be using an SSL/TLS certificate and usually contain at least the common name (e.g., www.example.com) or email address associated with the certificate. Some CAs may require additional information to be included in the CSR in order to issue a certificate, such as the organization’s name or physical address.
A Certificate Authority will use CSR to issue the certificate. So you should add the below information to your CSR while creating it.
Common Name (CN) | The Fully Qualified Domain Name (FQDN). e.g. *.example.com, www.example.com, and mail.example.com. |
Organization (O) | The legal name of your organization. Do not abbreviate and include any suffixes, such as Inc., Corp., or LLC. |
Organizational Unit (OU) | The division of your organization handling the certificate. |
City/Locality (L) | The city where your organization is located. This shouldn’t be abbreviated. |
State/County/Region (S) | The state/region where your organization is located. This shouldn’t be abbreviated. |
Country (C) | The two-letter code for the country where your organization is located. |
Email Address | An email address used to contact your organization. |
The public key: Certificate Authority includes it during the creation of the certificate.
Information about the key type and length. The most common key size is RSA 2048, but some CAs, including GlobalSign, support larger key sizes (e.g., RSA 4096+) or ECC keys.
Make sure the IIS Web Site is running.
Local Certificate Authority Role, in this case, we are using MS ADCS.
A CSR is the first step to getting a new certificate. As the name says, CSR is the standard request format that most Certificate Authorities accept to issue the certificate. In this section, we will show you how to Create a CSR in the IIS Server.
Let’s begin the CSR generation process by launching the Internet Information Service (IIS) Manager.In Server Manager, go to Tools –> Information Service (IIS) Manager.
Select Server Name and Double-Click on Server Certificates.
As you can see in the picture, no certificates were installed on the IIS server.
To Create CSR, click on ‘Create Certificate Request‘ under the ‘Actions‘ Menu.
After you click on ‘Create Certificate Request. Request Certificate Wizard will be opened up. You need to update the required details and click ‘Next‘.
Note: Please contact your local Certificate Authority if you don’t have the information to fill.
Common Name: Generally Common Name will be the URL of the IIS Web Service
Organization: Organization / Business Name
Organisational Unit: Division of the Organization
City / Locality: The city where the Organization located
State / Province: State where Organization located
Country / Region: The country where the Organization located
Select the ‘Cryptographic Service Provider’ to default and change the ‘Bit Length’ to ‘4096′ to strengthen security and click on ‘Next’.
Note: Please contact your local Certificate Authority before you fill information.
Specify the File name select the path to save it and click on ‘Finish‘.
The CSR file will be present at the location you saved it and can be used to request the SSL certificate for your application.
This is what a typical CSR file looks like. A CSR file is a long string of characters encoded in base 64 formats. Well, you can read the content of the CSR file using any text editor.
Whenever you copy the context you should include:
—–BEGIN NEW CERTIFICATE REQUEST—– & —–END NEW CERTIFICATE REQUEST—–
You can use CSR to generate an SSL certificate for your web application hosted on an IIS server. You may need to choose the appropriate certificate template while submitting the CSR to the Certificate Authority.
Since the CSR stores the content in base64 format, it is not al all possible to validate the contents. If you want to validate the content of the CSR, it is possible to do that, but only after you decode it. There are many ways to decode a CSR.
For beginners, using online tools is the best way to decode CSRs. We want to introduce one such wonderful tool to you. However, there could be a risk of data being stolen if you use unauthorized tools. Be aware of this before you use an online tool.
Namecheap: https://decoder.link/resultt
If you don’t want to submit CSR content to online tools, it is possible to decode the CSR offline using the OpenSSL tool. Only the requirement is to have OpenSSL installed on your Windows server. No need to install the OpenSSL utility on Linux machines since the OpenSSL package is included in the default package list. You can use this command to see if OpenSSL is installed on your machine.
Use this command to see if OpenSSL is installed on your machine.
openssl version
Use this command to decode CSR using OpenSSL.
# openssl req -IIS_CSR.csr -noout -text
This is how you can create a CSR in the IIS Server.
We hope this post will show you a step-by-step procedure to Create a CSR in the IIS Server. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.