Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Last Modified: 2016-09-07 15:42:07.0

How do I generate a CSR on Microsoft Internet Information Services (IIS) 7?

Article Number: 46316

Question:

How do I generate a CSR on Microsoft Internet Information Services (IIS) 7?

Answer:
 

If you require an SSL certificate to secure a domain hosted in a Microsoft Windows Server 2008 server, you must first generate a Certificate Signing Request (CSR).

Before generating a certificate signing request for a domain in IIS 7, ensure that you have an IIS 7 role added to your server.
To verify that IIS 7 is installed on the server, open your Web browser and go to http://localhost/.
If ISS 7 is installed, you will see the following page:


 


Do not use commas in any of the fields when creating your Certificate Signing Request (CSR). Commas are interpreted as the end of the field and will cause an invalid CSR to be generated.
 

Do not use any of the following characters in the Web server Distinguished Name: ! @ # $ % ^ * ( ) ~ ? > < & / \

To generate a new CSR:

 

  1. Launch the Internet Information Services (IIS) Manager:
       Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager

 

  1. In the Connections pane on the left, select the correct server name.


     
  2. Open the Server Certificates features by double-clicking the Server Certificates icon located in the middle menu of the IIS Manager window.

 

  1. In the Actions pane on the right, click Create Certificate Request to open the Request Certificate wizard.

    Note: if you already have a certificate that is near expiration date and you need to renew it, select Create Certificate Request. Do not use the Renew option on the certificate from the Server Certificates action menu. The renewal function can sometimes create an incompatible CSR.


     
  2. Enter the Distinguished Name information in the Distinguished Name Properties window in the wizard:

 

Attribute

Prefix

Description

Example

Common name

cn

Domain to be secured by certificate

iis7cert.entrust.com

Organization

o

Organization’s legal business name

Entrust Inc.

Organizational Unit

ou

Department in the organization

Certificate Dep.

City/Locality

l

Business location - city

Ottawa

State/Province

st

Business location – state/province

Ontario

Country/Region

c

Business location - country

CA


          

 
  1. Click Next.

 

  1. Select Microsoft RSA Channel Cryptographic Provider as the Cryptographic service provider. For Bit Length, select 2048.
    Click Next.

     
  2. In the following window, specify the location and file name for your CSR. Take note of where the CSR is being stored, as you will need to access this file when you request a certificate. The file should contain a CSR similar to this:

 

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIEhDCCA2wCAQAwgYAxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8w

DQYDVQQHDAZPdHRhd2ExFTATBgNVBAoMDEVudHJ1c3QgSW5jLjEZMBcGA1UECwwQ

Q2VydGlmaWNhdGUgRGVwLjEcMBoGA1UEAwwTaWlzN2NlcnQuZW50cnVzdC5jYTCC

.

.

.

OOqRZhp/bkDjEWW+OO1Z7hAnB1gcN4t1Q7TO3gZwyO9Yarv7gkPXCsCIMwJkhmzB

X4n6sJ5KGAUQj+Qx6VDeyTzG6w8hTvXH0ILxVb7LYg12vcrt2O3wKdBwRdcPNtLO

8nK2lCzuiMwL+cM8XJroaYCtr8A8mDHLCTQHy1y5PReZ2wYIChPWVwzzrhWo7XZ5

Vmcczl6amkU=

-----END NEW CERTIFICATE REQUEST-----
 

 

  1. Open the generated file containing the newly created Certificate Signing Request (CSR) and copy its content into the specified field when you are requesting a certificate from Entrust.

    Note: Copy the full CSR including the

-----BEGIN NEW CERTIFICATE REQUEST-----


 

-----END NEW CERTIFICATE REQUEST-----
 

lines. Make sure that here are no trailing spaces or carriage returns in the CSR.

 

TN8156

Affected Products:

  • Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable