The Internet Information Server (IIS) and Microsoft Internet Security and Acceleration (ISA) provide wizards in the administration user interface to request and install SSL certificates. With this blog post I want to explain how to request a SSL server certificate manually. The manual steps are required if the Certification Authority (CA) is not available in the same forest as the IIS or ISA is a member of.
1. Creating an INF file to set the certificate properties
Use Notepad to modify the following sample INF file according to your needs. Safe the file as ssl.inf for example
[Version] Signature="$Windows NT$"
[NewRequest] Subject = "CN=SERVER.CONTOSO.COM" ; For a wildcard use "CN=*.CONTOSO.COM" for example ; For an empty subject use the following line instead or remove the Subject line entierely ; Subject = Exportable = FALSE ; Private key is not exportable KeyLength = 2048 ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384 KeySpec = 1 ; AT_KEYEXCHANGE KeyUsage = 0xA0 ; Digital Signature, Key Encipherment MachineKeySet = True ; The key belongs to the local computer account ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 SMIME = FALSE RequestType = CMC
; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below
4. Installing the certificate at the IIS or ISA computer
Once the certificate was issued and is available as a file on the target computer, use the following command to install it.
certreq –accept ssl.cer
The installation actually puts the certificate into the computer’s personal store, links it with the key material created in step #1 and builds the certificate property. The certificate property stores information such as the friendly name which is not part of a certificate.
After performing steps 1 to 4 the certificate will show up in the IIS or ISA management interface and can be bound to a web site or a SSL listener.