If you want to secure your web application running on an IIS server, you need to install an SSL certificate. SSL certificate allows you to verify the identity of your web server and is used to encrypt the channel between server and client. You can get a trust certificate from your internal or external CA (Certificate Authority). But first, you need to create a Certificate Signing Request (CSR). In this article, we’ll show you how to create CSR in Internet Information Services (IIS) on Windows Server 2022.
- Open the Internet Information Services (IIS) Manager console (InetMgr.exe) on your Windows Server host;
- Select your server name in the left pane;
- Open the Server Certificates item in the center pane;
- In the Actions menu (right pane), click the Create Certificate Request link;
- This will launch the Certificate Request Wizard;
- In the first window, you need to fill in the certificate’s distinguished name properties.
Fill in the following fields:
- Common Name — here specify the web server hostname where this SSL certificate will be used. Use a fully-qualified domain name (FQDN) of your server. For example, report.theitbros.com. Also, you can use a wildcard in the certificate, for example: *.theitbros.com.
- Organization — the legal name of your organization;
- Organizational unit — department name within the organization;
- City/locality — your location city;
- State/province — state or province where your company is located;
- Country/region — use the two-character abbreviation of your country.
In the next step, you need to select the Cryptographic Service Provider of the certificate and the key length depending on your requirement. By default, you can use:
- Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider
- Bit length: 2048
Then specify the file where you want to save your CSR (by default, the file will be saved to C:\Windows\System32) and click Finish.
You will get a plain text file that starts with the BEGIN NEW CERTIFICATE REQUEST—– tag and ends with —–END NEW CERTIFICATE REQUEST—–. You can open the CSR file using any text editor tool (for example, notepad.exe).
You can copy the text of the certificate and paste it into the certificate order form (if you are using an online CA), or send the file to your CA provider or administrator.
To view the contents of your Certificate Signing Request, you need to decode it. You can use the online tools, but it’s easier to use the OpenSSL utility, which is available on any Linux distribution. In order to perform offline decode of the CSR file, use the command:
openssl req -text -noout -in reportapp_request.txt
As you can see, the OpenSSL displayed the main parameters of the certificate request. It also shows that a certificate is requested for the web server (X509v3 Extended Key Usage: TLS Web Server Authentication).
Now you need to obtain an SSL\TLS certificate (*.CER) from your CA based on your request and install it in IIS on the same Windows Server host where the CSR was generated. To do this, click the following button in the IIS console — Complete Certificate Request.
You will need to find the received *.CER file. Specify its name and certificate store (Web Hosting).
After that, it remains to assign a new certificate to the desired web application or web service IIS (in the Site Bindings section).