Help - Generating a new key pair and CSR for IIS 7.0

Creating the keys and CSR

. Use the IIS-7 Manager tool. First, display the server panes:

.In the middle pane double click on "Server certificates" (Certifikáty server). Then in the right pane click on "Create a CSR..." (Vytvořit žádost o certifikát...). The wizard opens for creating a CSR. This request contains the new public key server key; the CSR is prepared for the website certificate (not a personal one). There will be the server name in the CSR, not your name. Private key is also created and saved in the server.

.Fill the CSR form. The first text box will contain the server FQDN name. This is the name for the DNS system, and the server must be known under this name on the Internet. The Microsoft's idea is, that if your server has multiple FQDN names (i.e. IIS-7 serves for multiple virtual websites), you have to create for each of them its own certificate, or use the SAN parameters - alternate names, first of them must be equal to the main name fulfilled here. The CAcert CA then has to receive the CSR containing SAN names. .The other text boxes have to be fulfilled according to the reality. (A fictive company name is fulfilled in this example.)

. Wizard's next step: select the provider and the key length, as proposed in this example. The websites containing sensitive data may use longer keys.

. Wizard's next step: enter [a path and] name of a file, where the CSR will saved in. Finish the wizard. A file will be created, containing the CSR coded in BASE64.

Signing your CSR by CAcert - the certificate of your website will be created

. Now visit your CAcert account and from the menu selecr "Server certificates" - "New". Submit the whole contents of the CSR file. Generated certificate, coded in BASE64, save in another file (an example: file named certnew.cer).

Finishing the certificate in IIS-7

. Still staying in the IIS Manager window and with your server selected in the left tree pane, double click the "Server certificates" (Certifikáty serveru) icon, in the right pane select "Finish the CSR..." (Dokončit žádost o certifikát). A new wizard opens for that action. Enter the [path and the] certificate file name (certnew.cer in this example), and invent a descriptive name for it, to quicker search in certificates. The wizard will find the private key appropriate and make the certificate active - its line shows in the server certificate list.

Set up the binding of the certificate to a website

. Now, enter managing of the website which you want assign the certificate to. Select the root of the website concerned in the left pane (tree) (there is unique root, the default one, in our example). Select the action "Bindings..." (Vazby) in the right pane. Select the port for HTTPS protocol (default 443). Select the appropriate certificate from the list of certificates installed. Then press buttons OK and Close. Now the binding is created. There is the website name saved in the certificate (SAN alternate name or the main name). The certificate is then sent to client computers accessing the server. Client computer has to root certificate of appropriate CA installed to be able to verify the certificate received from your website.

. Now all the procedure is finished. If you have more than one virtual website created in IIS-7, every with its own certificate, repeat the certificate installation and binding creation for every website.