Well, if you use a Microsoft IIS server for hosting your application, as an FTP server for file transfer, for testing, or for any reason. If you want to secure your web application and run the service over HTTPS protocol, then you must bind an x509 certificate, a digital certificate used to prove the identity that is commonly known as an SSL certificate. To do this, you should create a CSR (Certificate Signing Request). Submit the certificate to your CA (Certificate Authority). Get a certificate issued by your CA and bind the certificate to your web application or web service. If you are not aware of how to create a CSR in the IIS server, then this post is for you.
In this post, we have covered what is an SSL certificate, an IIS server, CSR (Certificate Signing Request), and a detailed step-by-step procedure to create a CSR in the IIS server.
Table of Contents
What Is An SSL Certificate?
SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the HTTPS protocol and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfers, and logins, and more recently, is becoming the norm when securing browser communications.
SSL Certificates bind together:
- A domain name, server name, or hostname.
- The company name of the website owner for which the certificate was issued.
- The Certificate Authority issued and signed the certificate.
An SSL Certificate contains the following information:
- The certificate holder’s name.
- The certificate’s serial number and expiration date.
- A copy of the certificate holder’s public key.
- The digital signature of the CA.
What Is IIS Server?
IIS (Internet Information Services) is a web server software created by Microsoft. IIS Server is used for hosting websites and applications on the World Wide Web. IIS Server can be installed on all versions of the Windows operating system, from Windows NT to Windows 10 and Windows NT Server 4.0 to Windows Server 2021.
How To Get A Certificate For Your Web Application?
If you have an application hosted on an IIS webserver. And the application runs only on HTTP protocol which is not secured. If you want to run the application on HTTPS instead of HTTP, the first thing you need is a digital certificate or SSL/TLS certificate for your application. Then there may be several questions coming to your mind. Where to get an SSL certificate, and What is the procedure to get the SSL certificate? Let us answer these questions.
You should get the SSL certificate from a Certificate Authority (CA). Please contact your Certificate Authority and share your requirements with them so that they can help you in acquiring a certificate for your application. There could be different types of Certificate Authorities in your organization. Please reach out to the correct Certificate Authority depending on your requirement.
Your CA will ask you to Create a CSR in the IIS Server for your application and share the CSR (Certificate Signing Request) with them so that they can issue the certificate for your CSR. Then you should bind that certificate to the application in the IIS webserver to enable HTTPS.
Note: You can’t use the CSR created on a different server; please ensure the CSR must be created on the same IIS server on which the application is hosted.
What Is CSR (Certificate Signing Request)?
A Certificate Signing Request is a block of encoded text that contains information about the applicant and the public key that they are requesting to be signed. This encoded text is then submitted to a Certificate Authority, which will use their private key to sign the CSR and generate a signed certificate. The certificate can then be used to verify that the public key does, in fact, belong to the person or organization who claimed it.
CSRs are typically generated by web servers or other software that will be using an SSL/TLS certificate and usually contain at least the common name (e.g., www.example.com) or email address associated with the certificate. Some CAs may require additional information to be included in the CSR in order to issue a certificate, such as the organization’s name or physical address.
What Information Should A CSR Have?
A Certificate Authority will use CSR to issue the certificate. So you should add the below information to your CSR while creating it.
|Common Name (CN)||The Fully Qualified Domain Name (FQDN). e.g. *.example.com, www.example.com, and mail.example.com.|
|Organization (O)||The legal name of your organization. Do not abbreviate and include any suffixes, such as Inc., Corp., or LLC.|
|Organizational Unit (OU)||The division of your organization handling the certificate.|
|City/Locality (L)||The city where your organization is located. This shouldn’t be abbreviated.|
|State/County/Region (S)||The state/region where your organization is located. This shouldn’t be abbreviated.|
|Country (C)||The two-letter code for the country where your organization is located.|
|Email Address||An email address used to contact your organization.|
The public key: Certificate Authority includes it during the creation of the certificate.
Information about the key type and length. The most common key size is RSA 2048, but some CAs, including GlobalSign, support larger key sizes (e.g., RSA 4096+) or ECC keys.
Pre-requisites To Create A CSR In The IIS Server:
- Windows server 2019
- Make sure the IIS Web Site is running.
- Local Certificate Authority Role, in this case, we are using MS ADCS.
Time needed: 30 minutes
How To Create A CSR In The IIS Server?
A CSR is the first step to getting a new certificate. As the name says, CSR is the standard request format that most Certificate Authorities accept to issue the certificate. In this section, we will show you how to Create a CSR in the IIS Server.
- Launch Information Service (IIS) Manager
Let’s begin the CSR generation process by launching Internet Information Service (IIS) Manager.
In Server Manager, go to Tools –> Information Service (IIS) Manager.
- Verify Certificates installed on the IIS Website
Select Server Name and Double-Click on Server Certificates.
- List of certificates installed in IIS Server.
As you can see in the picture, no certificates were installed on the IIS server.
- Create Certificate Request
To Create CSR, click on ‘Create Certificate Request‘ under ‘Actions‘ Menu.
- Provide the required information for creating Certificate Request
After you click on ‘Create Certificate Request. Request Certificate Wizard will get opened up. You need to update required details and click ‘Next‘.
Note: Please contact your local Certificate Authority if you don’t have the information to fill.
Common Name: Generally Common Name will be the URL of the IIS Web Service
Organization: Organization / Business Name
Organisational Unit: Division of the Organization
City / Locality: City where Organization located
State / Province: State where Organization located
Country / Region: Country where Organization located
- Select Cryptographic Service Provider details
Select the ‘Cryptographic Service Provider’ to default and change the ‘Bit Length’ to ‘4096′ to strengthen security and click on ‘Next’.
Note: Please contact your local Certificate Authority before you fill information.
- Save the CSR file to a location
- Select a location to save the CSR file. Enter a name for the file and click Save.
- Save the Certificate Request file on your disk and finis the process.
Specify the File name and select the path to save it and click on ‘Finish‘.
The CSR file will be present at the location you saved it and can be used to request the SSL certificate for your application.
How Does A Typical CSR Look Like?
This is how a typical CSR file looks like. A CSR file is a long string of characters encoded in base 64 formats. Well, you can read the content of the CSR file using any text editors.
Whenever you copy the context you should include:
—–BEGIN NEW CERTIFICATE REQUEST—– & —–END NEW CERTIFICATE REQUEST—–
You can use CSR to generate an SSL certificate for your web application hosted on an IIS server. You may need to choose the appropriate certificate template while submitting the CSR to the Certificate Authority.
How To Decode A CSR?
Since the CSR stores the content in base64 format, it is not al all possible to validate the contents. If you want to validate the content of the CSR, it is possible to do that, but only after you decode it. There are many ways to decode a CSR.
Online Tool To Decode A CSR:
For beginners, using online tools are the best way to decode CSRs. We want to introduce one such wonderful tool to you. However, there could be a risk of data being stolen if you use unauthorized tools. Be aware of this before you use an online tool.
Decode A CSR Using OpenSSL:
If you don’t want to submit CSR content to online tools, it is possible to decode the CSR offline using the OpenSSL tool. Only the requirement is to have OpenSSL installed on your Windows server. No need to install the OpenSSL utility on Linux machines since the OpenSSL package is included in the default package list. You can use this command to see if OpenSSL is installed on your machine.
Use this command to see if OpenSSL is installed on your machine.
Use this command to decode CSR using OpenSSL.
# openssl req -IIS_CSR.csr -noout -text
This is how you can Create a CSR in the IIS Server.
We hope this post will show you step by step procedure to Create a CSR in the IIS Server. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram and subscribe to receive updates like this.