Creating "Wildcard" Certificate Requests for IIS

If you don’t have an enterprise CA, please don’t search for the “webserver” templates info. It does not help even if it is there.Creating a custom request is fine. Just make sure that you save it to a file at the end. -> This is the PKCS#10 CSR you need to take to the external CA.

1)      In the MMC, go to the “Personal” folder. Right click, chose all tasks-> Advanced Operations->Custom Request.

a.       Hit “next”

b.      Choose “((no template) Legacy Key” as template

c.       Request Format = PKCS #10 is default and OK.

d.      Hit “next”

e.      Click on “Details” to get  the “Properties button to show and hit that.

f.        Please go over the tabs right to left. This will ensure that you 1^st take care of the important functional items before coming to your customizations.

 

2)      Things to check:

a.       “Private Key” tab: “Key Type” -> Mark the keyset for “Exchange” and do NOT leave it at “Signature” (which is the default).

b.      The above does not apply if you are using a CNG provider. Using a CNG provider is ok to do, but you need to make sure to use an RSA provider or the certificate / keyset will not work for IIS. Choice of the provider is a separate topic which we would need to cover separately. Choosing “legacy key will give us the “right” RSA CSP already for our needs here.

c.       “Key Options” -> Make sure to mark the private key for “allow export” to enable you to backup the completed keyset/cert  package into a PFX (aka PKCS#12) file later. Do NOT check “Strong private key protection” as that will disable the non-interactive use. Uncheck “key archival” if marked as that is a CA function not supported by the commercial CA’s (at least not unless you have a very special agreement with them). Choose the key size you want. Go with the default (1024) if you have no special requirements/recommendations.

d.      “Extensions” Tab -> “Enhanced Key Usage”:  Add the “server authentication” EKU to the list on the right side..

e.      “Subject” tab: Add a CN entry that (of course) must be set to the server name.

f.        Note: If you are using SAN, then ALL names MUST be added there. The CN in that case should be set to the most commonly used server name as some clients might not support SAN (subject alternative name).

g.       “General” tab (optional): add descriptive text that wll later show up in the list to allow easy identification.

h.      Hit “OK” to close the Properties dialog and hit “next”

i.         Enter the wanted filename (i.e. c:\iis-csr.txt) and hit “Finish”.

3)      You now have the data you need to take to the Certifiation Authority (CA), i.e. Verisign, Thawte.etc

4)      Once you get back the certificate from the Certifiation Authority, go to the same folder as before, right click and choose “all tasks” -> import…, find the file and go through the wizard with the defaults.

5)      DONE, enrolment finished. Now you can assign the cert in the IIS MMC and backup the cert+private key into a backup PFX file if wanted.