česky | english
How to create a simple server certificate in MS IIS 8.5
Microsoft IIS server runs on MS Windows server 2012. You can find the management of server certificates in the IIS 8.5 manager, if you select the server item in the left panel:
If you double click the icon, the window opens you will work with. There an information is displayed in the central pane, about certificates installed so far and available to the web server:
In the right pane, there are three functions initiating three ways to create the certificate. The result is always a simple certificate without subject alternative names (SAN):
- Create Certificate Request (CSR) - this function is the most suitable, if you need to save the CSR into a file and submit it later for signing to a CA, e.g. to CAcert.
- Create Domain Certificate - this function does not create a CSR file, instead it submits CSR immediately to the local (domain) CA.
- Create Self-Signed Certificate - this function is suitable for testing purposes only, because the resulting certificate is not signed by any well-known, trustworthy CA.
Thus, let's deal with the first function only, where you can create a file containing a simple CSR. However, if you need alternative names of the subject (which is your web server) - (SANs), it is most suitable to create your server certificate another method, described for example here, and import then the certificate with the corresponding private key from a backup file suffixed .PFX/.P12 - inthis case use the very first function of the action pane - Import.
By clixking the link "Create Certificate Request..." a dialog opens, where you can enter the basic information about the server, its location and a company:
In the next step of the wizard, you need to enter the pathname of a file, where CSR is to be saved, and also the key length (i.e. cipher strength). You better select the keylength of 2048 bits at least:
In the last wizard step, you need enter the path and filename of the file, where the CSR is to be saved:
The file containing a CSR may have any suffix (default: .txt). If you submitted the CSR to signing to Microsoft CA service, you would enter SANs additionally - here: SANs of the server FQDN - into the Additional Attributes box:
To obtain a server certificate from CAcert, you have to insert the CSR contents to the web form on the web CAcert.org. This is enabled, if you have at least 50 assurance points (APs). You can then select from the menu on the right side: "Server certificate" - "New".
Next picture displays a part of the CAcert's web form. You cannot enter SANs here, neither if you select "Advanced Options". Standard settings offer the SHA-256 hash algorithm, and the signing with the CAcert class 3 root certificate, which uses the more secured SHA1 algorithm (then former MD5). Leave the default values, only check that you agree with the CCA (CAcert Community Agreement), and press the "Submit" button.
For a detailed description, how to obtain a server certificate, see this page.
The certificate you have obtained install using the IIS 8.5 manager again, with the function "Complete Certificate Request..." in the action pane. You will need to enter certificate file location and its "friendly name", which you choose yourself:
Using this practice, the private key is created directly on the web server, so the conditions are mostly met for using the new certificate. It is only necessary to bind the certificate with the HTTPS protocol.
In the left pane, select the web server, which will operate with the HTTPS protocol. Then select the "Bindings..." action in the right pane. A dialog opens, where you need to select HTTPS protocol and edit its parameters (actions pane - "Edit..."), or you need to define the binding (actions pane - "Add...", if no HTTPS is present there yet.
The next dialog appears, where you can choose or edit the "https" type. You have to select the IP address (default: All Unassigned), port (default is 443), and a certificate - from that listed in the "Server certificates" window of the IIS Manager. You will request the server name indication (SNI), if you run multiple virtual servers on a single IP address. The server name is then compared with the browser request to the proper web server could be chosen.
Close the dialogs, then restart server's web services, and the HTTPS protocol became functional.