Creating a Certificate Request with IIS | IIS 6: The Complete Reference

To create a certificate request, you will use the Web Server Certificate Wizard from the IIS MMC snap-in, shown in Figure 10-3.

click to expand
Figure 10-3: The Web Server Certificate Wizard

Open the IIS MMC by choosing Start | Administrative Tools | Internet Information Services (IIS) Manager.
Click the plus (+) in front of Web Sites.
Right-click the web site for which you will be requesting the certificate, and choose Properties.
Click the Directory Security tab.
In the Secure Communications section, click Server Certificate.
The Web Server Certificate Wizard window will open. Click Next on the Welcome screen.
Select the Create A New Certificate radio button.
Click Next.
Select the Prepare The Request Now, But Sent It Later radio button.
Enter a name for you certificate; it should be something descriptive such as the URL of your web site.
Unless you have a need to change it, leave the bit length of the 'cryptographic service provider' as the default.
Click Next.
Define your Company name and your Department as it applies to your company.
Click Next.
Enter the Common Name for your site; this should be the fully qualified URL of the site.
Click Next.
Enter the appropriate region information, and click Next.
Change the location or name of the file that will contain your request. Click Next.
You are presented with the information you enter for confirmation. Click Next.
Click Finish.

Sending a Request to Your Own CA

You can request a certificate to your own CA in two ways. The Certification Authority web enrollment (Figure 10-4) works for both an enterprise CA and a standalone CA. Sending a request through the Certificates snap-in is supported only by an enterprise CA by default. If you have an enterprise CA and are requesting an SSL certificate, you will use the same wizard you use when creating a request for a commercial CA, except you will select the wizard's Send The Request Immediately To An Online Certification Authority radio button. The Certification Authority MMC snap-in can be used for any other certificate request.

click to expand
Figure 10-4: Microsoft Certificate Services web enrollment Welcome screen

Here's how to use the CA web enrollment:

In your web browser, type http://<yourserver>/certsrv in the address bar, replacing <yourserver> with the IP address or URL of your CA.
Click Request A Certificate.
Click Advanced Certificate Request.
If you need a new certificate, you should select Submit A Certificate Request By Using A Base-64-Encoded CMC Or PKCS #10 File. If you are renewing an existing certificate, then you can select Submit A Renewal Request By Using A Base-64-Encoded PKCS #7 File.
Paste the contents of the certification request file into Saved Request field.
Click Submit.
If this is an enterprise CA, you will be presented with your certificate. If this is a standalone CA, you will need to return here when the request is approved.

Sending an SSL Certificate Request to a Commercial CA

The steps for sending a certificate request to a commercial CA depend on the commercial CA. Typically, the verification process for a commercial certificate is extensive. For example, to obtain a Verisign certificate, you need to complete seven steps:

Proof of organization.
Proof of domain name.
Generate a Certificate Signing Request (CSR).
Submit the CSR and select your server software.
Complete and submit the application.
Wait for processing and final verification.
Install your ID.

Proof of Organization

When verifying your organization, Verisign will first use your Dun and Bradstreet D-U-N-S Number (a nine character number that identifies your company). If you don't have a D-U-N-S Number or are not able to be identified using your D-U-N-S Number (if you are still in the registration process, for example), you will be asked for proof of organization using the following documents:

Articles of incorporation
Business license
Certificate of formation
Doing business as name
Registration of trade name
Charter Documents
Partnership papers
Fictitious name statement

Note
Some additional steps may be required for organizations in certain countries.

Proof of Domain Name

Verisign will then need to verify that you are the actual owner of the domain for which you want to purchase a certificate. Verisign may simply compare the company information you submitted to them in the 'Proof of organization' step to the registrant information for the domain. For .com, .net, and .org domains, your domain information can be viewed at http://www.netsol.com/cgi-bin/whois/whois (among other places). If your information doesn't match for some reason, because you don't own the top-level domain name or because someone else registered it for you with another name, you can get around this in one of the following ways:

Submit a domain authorization letter from the owner of the domain, authorizing you to use it.
Change the registrant information and notify Verisign via e-mail.
Submit proof of a legal family relationship between you and the owner of the domain.
Submit proof of a legal name change from the name shown as the registrant.

Note
More detail can be found on the Verisign web site (http://www.verisign.com).

Generate a Certificate Signing Request (CSR)

This step is simply the process of creating a certificate request in IIS, as detailed earlier in the chapter. Keep in mind that the common name must be the full URL of the web site on which you will be installing the certificate; otherwise, this won't work properly. For example, if your web site is called by typing www.beer-brewers.com into a browser, you would define a common name of www.beer-brewers.com, not just beer-brewers.com.

Submit the CSR and Select Your Server Software

When you submit a request to Verisign, you will need to open the file you created while running the Web Server Certificate Wizard with a text editor, such as Notepad, and copy the contents into Verisign's web enrollment form. You will then choose your server software, which is IIS in our case.

Complete and Submit the Application

This step again verifies your common name (common names are important) and gets contact and payment information.

Wait for Processing and Final Verification

Verisign will now process the information you submitted and verify your payment information. This should take three to five days. The organization contact defined in the previous step will then be contacted for final verification.

Install Your ID

After all the information has been verified and processed, Verisign will e-mail your technical contact the certificate. Now it's time to install (see 'Installing an SSL Certificate' a little later).

Sending a Request for a Client Certificate from the Certification Authority MMC Snap-in

You can also send a request using the Certification Authority MMC snap-in shown in Figure 10-5.

click to expand
Figure 10-5: The Certification Authority MMC snap-in

Open the Certification Authority MMC snap-in by choosing Start | Administrative Tools | Certificates.
Right-click the name of the CA (In Figure 10-5, my CA is called Mine), and choose All Tasks | Request New Certificate.
Click Next on welcome screen.
Select the type of certificate you will request, and then click Next.
Name your certificate something descriptive, and click Next.
Click Finish. Your certificate should now be installed.

Sending a Request for a Client Certificate from the Web

Here's how to send a request for a client certificate from the web:

In a web browser, type http://<yourserver>/certsrv in the address bar, replacing <yourserver> with the IP address or URL of your CA.
Click Request A Certificate.
Click Web Browser Certificate.
Fill out the appropriate information, and then click Next.
If your CA is a standalone CA, you are informed that you must wait until an administrator approves your request. If your CA in an enterprise CA, you are presented with your certificate immediately.

Issuing or Denying Certificates from a Standalone CA

Once the certificate has been requested, the certificate will be in the Pending Requests folder, and all you need to do is Issue or Deny the certificate. Once issued, the certificate will be usable. Here are the steps to issue the certificate:

Open the Certification Authority MMC snap-in.
Click Pending Requests (Figure 10-6).

Figure 10-6: Certification Authority MMC snap-in
Right-click the pending certificate and choose All Tasks | Issue.

Downloading a Web Browser Certificate from the Web

Once the certificate has been issued, the requestor may install the certificate and use it. Here are the steps the requestor can use to install the certificate once it has been issued:

Return to http://<yourserver>/certsrv, replacing <yourserver> with the IP address or URL of your CA.
Click View The Status Of A Pending Certificate Request.
Click Web Browser Certificate.
Click Install This Certificate. The certificate is now installed.

Installing an SSL Certificate

After you receive your certificate from the CA, it is time to install it.

Open the IIS MMC snap-in by choosing Start | Administrative Tools | Internet Information Services (IIS) Manager.
Right-click the appropriate virtual server and choose Properties.
In the MMC, open the Directory Security tab.
In the Secure Communication area, click Server Certificate.
Click Next at the welcome screen.
Select the Process The Pending Request And Install The Certificate radio button.
Click Browse and select the certificate that was sent to you.
Click Next.
The wizard prompts you to change the SSL Port Number. The default is 443, and should not be changed unless you have a good reason to, because clients look for SSL communication on port 443 by default.
You are then presented with the details of your certificate. Click Next.
If the issuing party is not trusted, a message box appears, warning that the issuing party should not be trusted. Remember, if you create your own certificate, it will not be from a trusted party because the browser does not have your CA in its trusted CA list.
Click Finish.

Congratulations! Your certificate is now installed!