Windows Server 2016 – Using a Certificate Signing Request to acquire your SSL certificate

How to install and use docker on ubuntu 18.04

When publishing a website to the Internet, it is generally a best practice to use an SSL certificate on the website that you acquired from a public Certification Authority (CA). These are the big certificate issuing entities such as Entrust, Verisign, Digicert, GoDaddy, and so on. It is possible to use your own internal PKI infrastructure to issue SSL certificates that can be exposed to the outside world, but it can be difficult to set up the certificate infrastructure appropriately and securely. As cheap as SSL certificates are, it is worth the investment to have the security of knowing that the certificate you are running on your website is the one and only certificate of its kind, and that nobody else has a chance to get their hands on a copy of your certificate and spoof your website. Modern browsers also have a pre-built list of the public CAs that they trust; this makes using a certificate from one of those public entities even more beneficial, because your user’s browsers will automatically trust those certificates without any additional work on the client side.

It is easy enough to log in to one of these CA’s websites and purchase a new certificate, but then comes the tricky part. Once purchased, you need to walk through some steps and enter information about your certificate. Easy enough; it asks you for some company information and the name that you plan to use for your site, of course. Then it asks for your Certificate Signing Request ( CSR) and gives you either a very large empty text box to paste it into or an upload function where you can upload your CSR directly to them. This is the place where I have watched many new admins struggle to find traction on their next step.

A CSR is a file that must be created on your web server. It contains information that the CA uses when it creates your certificate. When they do this, it binds the certificate to the information in the CSR, ensuring that your certificate is built specifically for your web server. Here, we are going to generate a CSR together, so that you are prepared to handle that screen when you come across it.

Getting ready

We are going to use IIS that is running on our Server 2016 web server to generate a CSR. This server is the only piece of infrastructure that we need running for this task.

How to do it…

In order to request a new certificate from a public CA, you will need to spin out a CSR on your web server. Here are the steps to do so:

  1. Open Internet Information Services (IIS) Manager.
  2. Click on the name of your server in the left-hand window pane.
  3. Double-click on the Server Certificates applet. This will display currently installed certificates on your server:
  4. Click on the action near the right of your screen that says Create Certificate Request….
  5. Populate Common name with the DNS name that your website will be running on. This is the name that users will type into their browsers in order to access this site.
  6. Organization is the name of your company or organization. Typically, this information needs to match whatever is on file with the CA, so take a minute to check another certificate that you might have already and make sure to type in the same info.
  7. The Organizational unit can be anything you desire. I often just type the word Web.
  1. Type in your City/locality and State/province to finish out this screen. Make sure to spell out the whole word of your state, for example, California. They tend to dislike abbreviations:
  2. Click Next.
  3. Increase your Bit length to at least 2048. This is typically considered to be the new minimum standard in the industry:
  4. Click Next.
  5. Type a location and name where you want to store your new CSR. Usually, you set this into a text (.txt) file. Make sure to specify the full filename, including the extension. I have found that if you do not, the file disappears into neverland:
  6. Click Finish and go take a look at that new file. It will look like a big mess of letters and numbers, which is normal!
  1. Now you can proceed to your public CA’s web interface and use this new CSR during the official request for a new SSL certificate. When prompted, paste the contents of the CSR file into their system. This is the last time you will need that CSR.
Each authority handles this process differently, but they are all generally done through a website, with a series of steps that you walk through. Many CAs will allow you to generate a 15 or 30-day trial certificate so that you can test this without cost.
  1. After the CA validates your request and your CSR, they will issue you a link where you can download your new certificate. Go ahead and download that file, and copy it onto your web server.
  2. Once the certificate file is on your server, you need to import it into IIS. Head back into the Server Certificates section and this time click on Complete Certificate Request….
  3. Specify the newly downloaded certificate file and input the Friendly name field if you choose. This is a descriptive name that you can give to this new certificate inside IIS so that you can easily identify it later when assigning it to a website binding. You typically want to store these certificates in the Personal store, as is set by default:
  4. Click OK, and that’s it! Your new certificate is installed and ready to use.

How it works…

In this recipe, we requested a new SSL certificate from our favorite public Certification Authority. In order to receive a certificate from them, we had to issue a CSR from our web server. Once we have our CSR generated, we simply copy and paste it into the web interface for our CA entity and they give us a new certificate based on that CSR. Once downloaded, the new certificate file can be imported back into the web server, where it is ready for use by our own website.

One note of importance; after you install the new certificate on your server, double-click on the certificate to open it up. You want to make sure that you have a message displaying on the main page of your certificate properties that says You have a private key that corresponds to this certificate. This will display near the bottom of the General tab of the certificate. If you do not see this message, something did not work correctly with the CSR and you will probably have to start the process over to request another new copy of the certificate. Having a private key that corresponds to your SSL certificate is critical to getting your website working properly.

Comments are closed.