How to generate 2048 bit new CSR on old IIS 5, IIS 6; and How to install PEM private key and certificate on IIS 5,6 and 7

When we generate a new certificate signing request (CSR) to renew a current SSL certificate on IIS, IIS will retain all the original information, including the key size.  If the SSL certificate is of 1024 bit key size, the CSR generated will not be accepted by most CA nowadays.

We need to generate a new CSR of 2048 bit.  How?

To generate a CSR of 2048 bit, we may use the below two approaches:

Approach 1: Generate the CSR by create a temporary or dummy site.
Create a new dummy web site, and then create a CSR for this new dummy site.  In this way, the new CSR is no longer limited by existing keysize setting.  You may follow the detail instruction here or that from Microsoft KB295281.
Approach 2: Use OpenSSL
The standard OpenSSL command to generate 2048 bit CSR is:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
This online tool can generate OpenSSL command for you, even if you are not familiar with OpenSSL.

Approach 3: Use online tools to directly generate CSR
  1. We can use online tools for the generation of the new CSR (link). 
    Of course, it poses some level of security risk as the private key may be exposed on the Internet.
  2. We will receive a CSR and a Private key (in PEM format).  The CSR file can be used to submit to CA to apply for a SSL certificate. 
  3. Some CA offers Private Key generation during SSL certificate application.  After successful application, we will receive the Public key.  The private key is usually available for download on their website.
Convert PEM private key and PEM certificate into a single file (PKCS12) (.PFX file)
    1. After having the private and public key, for direct import of the certificate to IIS, we  need to perform format conversion to combine private key and public cert into a single PFX file.
      1. We can use openSSL to perform this task:
      2. openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

      3. Use the online too to convert PEM Public and Private certificate to PKCS12 (aka PFX) file (link)

      4. This online tool combines a Public certificate (PEM format) and a Private certificate (PEM format) into a single PFX file.  For import to web server such as IIS.
      5. You will be asked for a password to pack the PFX file.  Do not lose this.  When we import this PFX file to IIS, we will be asked for this password.
      6. After press the download button, a ZIP file will be downloaded.  Inside the ZIP file, there is one single SFX file (which contains the private key and the CER and protected by the supplied password).
    Import  PKCS12 (.PFX file) SSL certificate to IIS 5 /6

      1. Then, we need to import the PFX back to IIS.  We will backup the currect SSL cert, then remove the cert, and import the cert:

        1. Open Internet Information Services (IIS) Manager (inetmgr). Locate your website profile in the left column (usually this will be called "Default Web Site") and right click on it. Choose "Properties" then in the window that opens click the "Directory Security" tab.
        2. Click the 'Server Certificate' button and the Server Certificate wizard will start.
        3. A list of options should appear in the Server Certificate wizard.  Choose "Export the current certificate to a .pfx file (this option might be disabled if you haven't choose allow backup during import of the SSL cert).
        4. Follow the on screen instruction to give the SFX file a password.  Choose the location of the file to be saved.
        5. Click the 'Server Certificate' button and the Server Certificate wizard will start.
        6. Choose "Remove the current certificate"
        7. Follow the on screen instruction to complete this task.
        8. Click the 'Server Certificate' button and the Server Certificate wizard will start.
        9. Choose "Import a certificate from a .pfx file".  Click Next.
        10. Locate the SFX file.
        11. If you prefer, please check "Mark cert as exportable".
        12. Click Next.
        13. Enter the password that you enter during the generation of SFX.
        14. Complete the wizard by following the on screen instruction.

      Import  PKCS12 (.PFX file) SSL certificate to IIS 7

        1. Enter IIS manager (Start – run – inetmgr).  Select the server.  Then click “Server Certificates” under “IIS”
        2. You can see all the SSL certificates installed in this server.  There is no need to remove the old one.  Please click “Import” to import the new one.
        3. In the import certificate dialog, browse for the SSL certificate (in PKCS12 SFX format).  You must provide the password that you entered during the generation of SFX file.  Please also mark “Allow this certificates to be exported”.
        4. After import, you will see a new entry in the Server Certificates.  You can check with the new expiration date to verify it is a new SSL cert.
        5. Then go to the “Sites”.  Click on the site that you want to use the cert.  Then click “Bindings…”
        6. Select “https”.  Then click “Edit”
        7. Select the certificate that we have just imported.  You can click the “View” button to verify that we have picked the right certificate.
        8. Click “Close” to finish the binding.

        Other useful tools:
        • Create self-signed SSL certificate (link).  This is for testing only.  We can avoid the complex step to install OpenSSL and the complex steps to generate private and public key
        • Instruction to install SSL on various web servers (link)
        • OpenSSL reference (link)


        Popular Posts