How to Generate CSR in IIS: Step-by-Step Guide to Create CSR for SSL

If you host websites on Windows Server using Internet Information Services (IIS), securing them with SSL/TLS certificates is essential. The very first step in obtaining an SSL certificate from a Certificate Authority (CA) is to create CSR for SSL. Fortunately, IIS provides a built-in tool to help you Generate CSR in IIS directly from the server where you intend to install the certificate.

This guide provides clear, step-by-step instructions on using IIS Manager to generate your Certificate Signing Request, ensuring you gather the correct information and follow the process accurately.

Key Takeaways

• CSR Purpose: A CSR is an encoded block of text containing information about your organization and domain, along with your public key. It’s required by CAs to issue your SSL certificate.
• IIS Manager Tool: Windows Server’s IIS Manager has an integrated wizard (“Create Certificate Request…”) specifically for this task.
• Information Accuracy: Providing precise and correct information (especially the Common Name) in the CSR is critical for the certificate to be valid.
• Key Pair Generation: When you generate the CSR in IIS, it simultaneously creates a corresponding private key, which remains hidden on the server, pending the certificate installation. Do not delete the pending request in IIS.
• Key Size: Use a key bit length of 2048 bits or higher for adequate security. ^^[Industry standard recommendation, e.g., NIST guidelines]^^
• Output: The process generates a text file (.req or .txt) containing the CSR, which you’ll submit to your chosen CA.

What is a CSR and Why Do You Need It?

A Certificate Signing Request (CSR) is a formal request sent from you (the applicant) to a Certificate Authority (CA) to obtain a digital certificate. It contains essential details identifying your server and organization, plus the public key that will be embedded in the certificate.

The CA uses the information in the CSR to verify your identity (level of verification depends on the certificate type – DV, OV, EV) and then creates the SSL certificate, digitally signing it with their own private key to vouch for its authenticity. You cannot get a trusted SSL certificate without first generating a CSR.

Before You Begin: Information Needed

Before starting the CSR generation wizard in IIS, gather the following information accurately. This information forms the certificate’s Distinguished Name (DN):

1. Common Name (CN):Most crucial field. This is the fully qualified domain name (FQDN) you want to secure.
   • For a single domain: www.yourdomain.com or yourdomain.com (Choose the primary way users access your site).
   • For a Wildcard certificate: *.yourdomain.com
   • Note: Ensure this matches exactly what you are ordering from the CA.
2. Organization (O): Your legally registered organization name. (Required for OV/EV certs, often optional or not used for DV certs – check CA requirements).
3. Organizational Unit (OU): The specific department within your organization (e.g., “IT Department,” “Web Security”). Often optional.
4. City/Locality (L): The city where your organization is legally located. Do not abbreviate.
5. State/Province (S): The state or province where your organization is located. Do not abbreviate.
6. Country/Region (C): The two-letter ISO country code (e.g., US, GB, CA, AU).

Also, decide on the Key Bit Length: 2048 bits is the minimum standard; 4096 bits offers higher security but might have minor performance implications on older hardware. 2048 is generally recommended.

Step-by-Step: Generate CSR in IIS Manager

Follow these steps on the Windows Server where your website is hosted and where you plan to install the final certificate:

1. Open IIS Manager:
   • Press Win + R, type inetmgr, and press Enter.
   • Or, find it via Server Manager > Tools > Internet Information Services (IIS) Manager.
2. Navigate to Server Certificates:
   • In the Connections pane on the left, click the server name (the top node under “Start Page”).
   • In the center pane (the server’s home features), double-click on Server Certificates.
3. Start the Request Wizard:
   • In the Actions pane on the right, click Create Certificate Request….
4. Enter Distinguished Name Properties:
   • The “Distinguished Name Properties” window will appear. Carefully fill in the information you gathered earlier:
     • Common Name: Your FQDN (e.g., www.yourdomain.com or *.yourdomain.com). Double-check this!
     • Organization: Your legal company name.
     • Organizational Unit: Your department (e.g., IT).
     • City/locality: Full city name.
     • State/province: Full state name.
     • Country/region: Two-letter country code.
   • Click Next.
5. Configure Cryptographic Service Provider Properties:
   • Cryptographic service provider: Leave this as the default: Microsoft RSA SChannel Cryptographic Provider (unless you have specific reasons/hardware to change it).
   • Bit length: Select 2048 or higher from the dropdown menu.
   • Click Next.
6. Specify File Name:
   • Click the ... button to browse for a location and specify a file name to save your CSR.
   • Choose a recognizable name and save it as a .txt or .req file (e.g., C:\csr_yourdomain_com.txt).
   • Remember this location!
   • Click Finish.

What Happens Next? (After Generating the CSR)

1. Locate the CSR File: Navigate to the location where you saved the CSR file (.txt or .req).
2. Open and Copy: Open the file using a plain text editor like Notepad. You will see a block of text starting with -----BEGIN NEW CERTIFICATE REQUEST----- and ending with -----END NEW CERTIFICATE REQUEST-----.
3. Submit to CA: Copy the entire text block (including the BEGIN/END lines) and paste it into the order form on your chosen Certificate Authority’s website (e.g., SSLRepo.com).
4. Pending Request in IIS: Crucially, IIS has now generated the CSR and its corresponding private key. The private key is stored securely within Windows, associated with a “pending request” visible in the Server Certificates section of IIS. Do not delete this pending request. You will need it later when you receive the issued certificate from the CA to complete the installation process.

Best Practices & Tips

• Verify Information: Triple-check all DN information before clicking Finish in the wizard. Mistakes often require generating a completely new CSR.
• Secure the CSR: While the CSR itself only contains public information, treat the file securely until you’ve submitted it to the CA.
• Remember the Server: Make sure you install the final certificate on the same server where you generated the CSR, as that’s where the matching private key resides.
• Backup (Later): Once the certificate is installed, ensure you have a backup procedure for your certificate and its private key (usually by exporting it as a PFX file from IIS).

Wrapping It Up

Generating a CSR is the essential first move to secure your website with SSL/TLS. Using the “Create Certificate Request…” wizard in IIS Manager simplifies this process on Windows Server. By carefully providing accurate information, particularly the Common Name, and selecting an appropriate key size, you can successfully Generate CSR in IIS and create CSR for SSL issuance. Once you have your CSR text file, you’re ready to purchase your certificate from a trusted provider like SSLRepo and proceed with the installation.

Frequently Asked Questions (FAQ)

Q1: Where is the private key stored after generating the CSR in IIS?
A: IIS automatically generates the private key and stores it securely within the Windows certificate store on the server. It’s linked to the pending request you see in the “Server Certificates” section. You don’t directly interact with the key file at this stage.

Q2: Can I generate a CSR for a Wildcard certificate (*.domain.com) using IIS?
A: Yes. Simply enter the wildcard name (e.g., *.yourdomain.com) in the Common Name (CN) field during the CSR generation process.

Q3: What happens if I make a mistake in the information entered for the CSR?
A: You generally cannot modify a CSR after it’s generated. If you find a mistake (especially in the Common Name) after generating it, you must generate a completely new CSR with the correct information and submit the new one to the CA. Discard the incorrect CSR file and you may want to cancel the pending request in IIS associated with the bad CSR if possible, though often just generating a new one is sufficient.

Q4: What Cryptographic Service Provider and Bit Length should I choose?
A: Stick with the default “Microsoft RSA SChannel Cryptographic Provider” unless you have specific requirements. Use a Bit length of 2048 bits as the minimum standard for security.

Q5: Can I use the same CSR to renew my SSL certificate?
A: While technically possible with some CAs, it is strongly recommended to generate a new CSR (and therefore a new private key) for every renewal. This is a security best practice. ^^[Security best practices universally recommend new key pairs for renewals]^^