Creating CSR – Certificate Request – and Generating CSR’s for IIS7/IIS 7/ Internet Information Services 7
In IIS7 – it is not intuitive – how to generate your CSR and then get your certificate issued – and apply that certificate to your site.
In IIS 6 – it was pretty straight forward once you have walked through the process – but IIS 7 is as different as night/day.
In IIS 7 – let’s replace the one for our SharePoint site. We had one already in place, but when we upgraded to SharePoint 2010 – it reconfigures the IIS application – creating a disconnect in your certificate. I’ll cover this in another blog. For now – let’s gen the CSR – then get the new cert:
First, launch your IIS Manager (Start—>Run and type in INETMGR and press Enter):
Notice that the machine name is selected just under Start Page in the left tree view. This is where you want your cursor – we’re working at the Server level – and certificates are all handled at this level – not at the site level like in the days of IIS6.
Scroll down in the center page (SBS Home above) and local Certificates:
Double-click – or select and press Enter on Server Certificates.
In our example, we locate our certificates – and all appears fine – except the certificate is no longer valid – so we’re going to create a new request (CSR) and walk through getting and applying the new certificate.
You’ll find this view on the right side of your Internet Information Services (IIS) Manager console. Click Create Certificate Request
NOTE: The Common Name is your actual URL – the site that you’ll be applying the certificate to. It’s important that you enter it – as shown above. Our actual URL to this site includes HTTPS:// before it, and a slash (“/”) and other page references after it – depending on what resources we’re trying to get to. But the actual site is exactly like that shown above – and it’s important that you enter this as your Common Name.
The rest is pretty straight forward. Once this is complete, click Next
Leave this default setting and click Next
This is the file name that the CSR hash will be written to. We use a text file format because it’s easy to copy/paste into our SSL provider when we get to that point.
In our case, we use GeoTrust and RapidSSL for our certificates, your provider may be different – but the next stages have to do with logging onto your SSL provider – using whatever account you created at that time – and select to re-issue the certificate. This will walk through collecting this new CSR request – and invariably – generating the new SSL certificate (.CER file).
NOTE: If you do not place something like C:\ before the above file name, it’ll place it in your User Profile path – which is typically in C:\Users\<userName> … – it’s easier to specify a path to save it to before clicking finish – that way you can quickly find it.
Once you locate it – it’s saved with a .TXT suffix – so if you double-click the file – it should open in OneNote, and you should see something similar to the following:
When you log into your SSL provider account and select to re-issue your certificate – you will have to copy this information from this text file into the CSR block on the screen of your provider. You should be familiar with this account – and when you have to copy, you’ll want to copy all of this data – including the ----BEGIN all the way to the REQUEST----- - end of the file.
The re-issue process, depending on our SSL provider – generally is an email to confirm the re-issue, and then a final email with the new certificate included in the email. From GeoTrust – they do not email us a attachment of the certificate – rather, they include the certificate block – similar to that shown above – right in the email – so we just copy/paste from our email.
Once we receive our new Certificate from GeoTrust – we create a .CER file, and open it with Notepad – just like our text file. Then we copy/paste our data into that file:
With this saved, we’re ready to apply the new certificate to our server.
Close Notepad – ensuring that your file suffix name is .CER – triple check and make sure Notepad didn’t slit in .TXT at the end of .CER – if it did, manually rename the file and get ready for the final stage.
Launch your Internet Information Services (IIS) Manager (INETMGR) – if you closed it, or bring it back up on your screen:
In the Actions menu located on the right side, click Complete Certificate Request.
Browse to your .CER file by clicking on the … ellipsis button to the right of File name containing the certificate authority’s response:
For the friendly name – we simply used the domain common name again.
Click OK.
Now, reviewing our certificates, notice below we have the one that was to be re-issued – in our case – we had a new issue generated for 3 years – and then you’ll see the old one right above it – expiring in 2010:
If you have a similar situation – delete that old certificate – otherwise it can be selected inadvertently when you’re assigning it to the site – and that will just create confusion.
With our old one deleted – we’re ready to apply the new certificate.
Bring up the site on the left of your Internet Information Services (IIS) Manager dialog, expanding sites, and selecting the actual site to apply this certificate to:
Ours is SBS SharePoint – and on the right side under Actions click Bindings
Here we select the HTTPS line and click Edit
You’ll have to drop down your certificate options and select your actual certificate, then click OK to apply:
After clicking OK – click Close and that’s it. Your new certificate is now applied to this site.
Hope that helps – sorry to be so long winded.