Create the Certificate Signing Request Create Certificate Signing Request

Generate CSR: IIS 7 Microsoft Windows Server 2008

Follow these instructions to generate a certificate request (CSR).

  1. Open the Internet Information Services (IIS) Manager. From the Start button select Programs > Administrative Tools > Internet Information Services Manager.
  2. In the IIS Manager, select the server node on the top left under Connections
  3. In the Features pane (the middle pane), double-click the Server Certificates option located under the IIS or Security heading (depending on your current group-by view).
  4. From the Actions pane on the top right, select Create Certificate Request. The Distinguished Name Properties dialog box opens.
  5. You will be asked for several pieces of info which will be used by CA to create your new SSL certificate. These fields include the Common Name (aka domain, FQDN), organization, country, key bit length, etc. The following characters should not be used when typing in your CSR input: < > ~ ! @ # $ % ^ / \ ( ) ? , &
  6. THIS IS THE MOST IMPORTANT STEP! Enter your site's Common Name. The Common Name is the fully-qualified-domain name for your web site or mail server. Whatever your end-user will see in their browser's address bar is what you should put in here. Do not include http:// nor https://. If this is wrong, your certificate will not work properly. exp:

    Name Explanation Examples
    Common Name The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.


    Organization The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. Google Inc. or Same as CN
    Organizational Unit The division of your organization handling the certificate. (Most CAs don't validate this field) Domain Control Validated
    City/Locality The city where your organization is located. Mountain View
    State/province The state/region where your organization is located. This shouldn't be abbreviated. California
    Country/Region The two-letter ISO code for the country where your organization is location. US

    • Enter your Organization (e.g., Gotham Books Inc) and
    • Organizational Unit (e.g., Internet Sales). Click Next.

  7. The next screen of the wizard asks you to choose cryptography options. The default Microsoft RSA SChannel Cryptography Provider is fine and a key bit-length of 2048.
  8. Click Next to continue.
  9. Finally, specify a file name for the certificate request. It doesn't matter what you call it or where you save it as long as you know where to find it. You'll need it in the next step. We recommend calling it hostname-certreq.txt.
  10. Click Finish to complete the certificate request (CSR) Wizard.
  11. Now, from a simple text editor such as Notepad (do not use Word), open the CSR file you just created at c:\certreq.txt (your path/filename may be different). You will need to copy-and-paste the contents of this file, including the top and bottom lines, into the relevant box during the online order process.


OpenSSL CSR Creation

Sometimes IIS or Certificate Services are not installed. You can use OpenSSL to create both a private key and your certificate signing request. Digicert has a useful form that will create the command for use in OpenSSL at their site. Enter the Certificate Details and click Generate. On the right side copy the text in the text box, then paste the customized OpenSSL CSR command into your terminal. You run the command wherever you have OpenSSL available.
Install OpenSSL from SourceForge; or Shining Light Prod. Generate a CSR.

openssl req -new -newkey rsa:2048 -nodes -out 
host_yourdomain_com.csr -keyout host_yourdomiain_com.key -subj
OU=Domain Control Validated/"

Keep track of your private key file after you create you CSR, because you'll need that private key to install your certificate.

Submit the CSR to a CA to generate the public key.

Generate the PK12 certificate

If all went well, you should have gotten a response from your CA with something like a .crt file. Drop that file in the same directory as your private key file (host.yourdomain.key), which you created when generating the CSR. Windows cannot directly use these two files; instead, we need to convert them into a PK12 file. Package the key and cert in a PKCS12 file:
openssl pkcs12 -export -in host_yourdomiain_com.crt 
-inkey host_yourdomiain_com.key
-out host_yourdomiain_com.p12

Import the certificate into Windows

Now you're ready to import the certificate (host.yourdomain.p12).

  1. Open the Certificates snap-in
    • run \ mmc
    • Select the Computer Account, select Local computer, and then click Finish.
  2. Use the MMC snap-in to install the certificate on the server:
    • Click to select the Personal folder in the left-hand pane.
    • Right-click in the right-hand pane, point to All Tasks, and then click Import...
    • Follow the wizard.