What is a CSR? A Certificate Signing Request or CSR is a specially formatted encrypted message sent from a Secure Sockets Layer (SSL) digital certificate applicant to a certificate authority (CA). The CSR validates the information the CA requires to issue a certificate. A CSR must be created before ordering and purchasing an SSL certificate (or activating an SSL certificate already purchased through your domain registrar). How a CSR is generated depends on the web server software used. Once the CSR is generated, it can be submitted to the CA. If the request is successfully validated, the CA will issue the SSL certificate.
Here are the steps to generate a CSR in IIS7 on Windows Server 2008 R2. Why might this be necessary? Well, you may want to install Microsoft Exchange and connect to it via Outlook or Outlook Web Access (OWA) which would require Secure Socket Layer (SSL).
- Click Start
- Select Administrative Tools
- Start Internet Information Services (IIS) Manager
- Click the Server Name
- Double click on the “Server Certificates” button in the “IIS” section, located int he center menu
- Choose the “Actions” menu (on the right)
- Click on “Create Certificate Request (Note: Even if you are renewing an SSL certificate that may be about to expire, use the CREATE Certificate Request and do NOT select renew).
- The Request Certificate wizard will be opened. From here, you will need to enter the information required for the CSR code (details and example listed below):
Common Name: e.g. yourdomain.com or, if you are creating a CSR for your mail server’s subdomain, then enter something like this containing your server’s host header: mx.yourdomain.com or mail.yourdomain.com
Organization: MyCompany Ltd
Organization Unit (eg, section): Communications, IT, Support, Sales etc.
City/ Locality Name: Los Angeles
State or Province Name (full name): California
Country Name (2 letter code): US
- Specify a filename and location to save your CSR code (e.g. c:\certificate\certreq.txt)
- Click Finish
You may view the CSR file using a text editor such as Notepad++ and the certificate request should appear like this:
Image Omitted for security reasons.
Note: When Installing the newly issued (renewal) certificate issued to you by your CA, you must first REMOVE the existing certificate from IIS7 because there will be an installation conflict (between the new certificate and the existing certificate that is still installed on the server. In other words, an error will occur during installation of the new certificate if the existing certificate is not first removed.
This article is based substantially upon Namecheap.com support knowledge base article:
After your new or renewal SSL certificate is issued to you and arrives via email, you may follow these instructions to install it on IIS7, but watch out for the known bug in IIS7.
When you click “Complete Certificate Request” in IIS7 management console, and then browse to find your newly issued *.cer file, when you click Open, you may receive an error message about a “Conflict” explaining that the CSR may not have been issued by the server where you are installing the *.cer file, which is nonsense.
Just continue hitting Retry or OK button a couple times, then hit the cancel button. Refresh the screen in IIS7 Management Console and see if your new certificate is listed there without a Friendly Name associated with it. That is GOOD. Do not remove the installed certificate. Now go to do the Bindings on the IIS7 Default Web Site. See the Second Link (last article) listed two paragraphs above.
Once the bindings are established to https on port 443, then you must restart the default website from within the management console.
Go test that your website can be viewed via https://
The last few lines of the tutorial say:
Click ‘OK’ on the ‘Web Site Bindings’ Window to complete the install.
Important: You must now restart IIS / the website to complete the install of the certificate.
If none of this works, you may have to generate a new CSR and get the certificate re-issued from your CA.