Generate CSR in IIS & Download Your SSL Certificate: A Complete Guide

Securing your website hosted on Windows Server with Internet Information Services (IIS) is crucial, and the process begins with obtaining an SSL/TLS certificate. The first mandatory step is to Generate CSR in IIS. This creates a formal request for your certificate. Once the Certificate Authority (CA) validates your request, the next vital step is to download ssl certificate files so you can install them on your server.

This guide provides a complete walkthrough, covering how to create the Certificate Signing Request using IIS Manager and what to expect when it’s time to download your newly issued SSL certificate.

Key Takeaways

• Two-Phase Process: Getting an SSL certificate involves first generating a CSR on your server, submitting it to a CA, and then downloading the issued certificate files.
• Generate CSR in IIS: Use the “Create Certificate Request…” wizard in IIS Manager. Provide accurate Distinguished Name information (especially the Common Name). This also creates a hidden private key on your server.
• Pending Request: Generating a CSR leaves a “pending request” in IIS. Do not delete this; it’s needed to match the certificate with its private key during installation.
• Certificate Issuance: After the CA validates your CSR information (takes minutes for DV, hours/days for OV/EV), they will issue the certificate.
• Download Methods: You’ll typically download ssl certificate files via a link in an email from the CA or by logging into your account portal on the CA’s website.
• Download Formats: CAs offer various download formats. For IIS, .p7b (PKCS#7) is often ideal as it bundles the certificate and intermediate chain. Alternatively, individual .crt or .cer files can be used.
• Files Needed: You will receive your server certificate and usually one or more intermediate CA certificates required for the trust chain.

Part 1: How to Generate CSR in IIS

This process creates the request file (.csr or .txt) you send to the CA and generates the corresponding private key on your server.

Information You’ll Need (Distinguished Name):

• Common Name (CN): The exact FQDN (e.g., www.yourdomain.com, secure.yourdomain.com, or *.yourdomain.com for Wildcards). Must match what users type.
• Organization (O): Legal company name (for OV/EV).
• Organizational Unit (OU): Department (e.g., IT).
• City/Locality (L): Full city name.
• State/Province (S): Full state name.
• Country/Region (C): Two-letter ISO code (e.g., US, GB).

Steps in IIS Manager:

1. Open IIS Manager (inetmgr).
2. Click the Server Name in the left Connections pane.
3. Double-click Server Certificates in the center pane.
4. Click Create Certificate Request… in the right Actions pane.
5. Enter Distinguished Name Properties: Fill in the details accurately, especially the Common Name. Click Next.
6. Configure Cryptographic Service Provider Properties:
   • Keep Microsoft RSA SChannel Cryptographic Provider.
   • Select 2048 bits or higher for the Bit length. ^^[NIST recommends minimum 2048-bit RSA keys for current security]^^
   • Click Next.
7. Specify File Name: Choose a location and name (e.g., C:\CSRs\yourdomain_csr.txt) to save the CSR file. Click Finish.

After Generating the CSR:

• You now have a text file containing the CSR (starts with -----BEGIN NEW CERTIFICATE REQUEST-----).
• Copy the entire content of this file.
• Submit this CSR text to your chosen Certificate Authority (like SSLRepo) during the ordering process.
• Crucially: A pending request now exists in the “Server Certificates” section of IIS. Do not delete it.

Part 2: How to Download SSL Certificate Files

Once the CA has validated your domain (and organization for OV/EV) and issued the certificate, you need to download the files.

Receiving Notification:

• You will typically receive an email notification from the CA confirming that your certificate has been issued. This email often contains instructions or a direct link to download the certificate.
• Alternatively, you may need to log in to your account portal on the CA’s website where you purchased the certificate.

Download Process (General Steps – Varies by CA):

1. Follow Email Link or Log In: Access the CA’s download area via the email link or by logging into your account dashboard.
2. Locate Your Order: Find the specific certificate order that has been completed/issued.
3. Choose Download Format/Server Type: Most CAs offer download options tailored for different server platforms.
   • Recommended for IIS: Look for options like IIS, Microsoft, or PKCS#7. This usually provides a .p7b or .spc file. This single file typically contains your server certificate and the necessary intermediate CA certificates bundled together, making installation easier in IIS.
   • Alternative: If a P7B option isn’t available, choose a format that provides individual certificate files, usually as Base64 encoded .crt or .cer files. You will likely receive:
     • Your Server Certificate (e.g., yourdomain.crt)
     • Intermediate CA Certificate(s) (e.g., intermediate.crt, ca-bundle.crt)
     • Possibly the Root CA Certificate (though often already trusted by browsers/systems).
   • Avoid PEM bundles meant for Apache/Nginx unless you know how to convert or combine them appropriately for IIS.
4. Download the File(s): Click the download button and save the certificate file(s) to a secure location on your computer. You can download them to your local machine first and then transfer them to the server, or download directly on the server if convenient.

What You Downloaded:

• .p7b / .spc (PKCS#7): A single file containing your certificate and the intermediate chain. Does not contain the private key (that’s still safely on your server linked to the pending request). Ideal for IIS’s “Complete Certificate Request” wizard.
• .crt / .cer Files: Separate files for your domain certificate and the intermediates. You’ll use the main domain certificate (yourdomain.crt) with the “Complete Certificate Request” wizard, and you may need to import the intermediate(s) separately into the server’s “Intermediate Certification Authorities” store.

What’s Next? Installation!

Once you have successfully used IIS to Generate CSR in IIS and then managed to download ssl certificate files from your CA, the final step is installation. You will return to the “Server Certificates” section in IIS Manager and use the “Complete Certificate Request…” action, pointing it to the certificate file you downloaded (preferably the .p7b file, or your main .crt file). This action matches the certificate with the pending private key, completing the process and enabling HTTPS on your site after binding it.

Wrapping It Up

Getting your IIS website secured involves generating a precise request and then obtaining the issued certificate files. By following the steps to Generate CSR in IIS using its built-in tools and understanding how to download ssl certificate files (preferably in P7B format) from your Certificate Authority, you pave the way for a smooth installation. Always ensure the information provided in the CSR is accurate and keep track of both the generated CSR and the downloaded certificate files.

Ready to get started? Generate your CSR and then visit SSLRepo to order your trusted SSL certificate.

Frequently Asked Questions (FAQ)

Q1: I generated the CSR but lost the .txt file. Can I still download and install the certificate?
A: Yes. The CA received the CSR data when you submitted it. The crucial part remaining on your server is the pending request in IIS, which holds the private key. As long as that pending request is intact, you can download the issued certificate from the CA and use it to complete the request in IIS. You don’t technically need the original CSR .txt file after submission.

Q2: What download format is best for IIS?
A: PKCS#7 (.p7b or sometimes .spc) is generally the most convenient format for IIS. It bundles your certificate and the necessary intermediate certificates into one file, simplifying the installation via the “Complete Certificate Request” wizard. If unavailable, download the individual .crt or .cer files.

Q3: Can I download the SSL certificate files to my local computer instead of directly onto the server?
A: Absolutely. You can download the certificate files (.p7b, .crt, etc.) to any computer and then securely transfer them to the Windows Server where you generated the CSR and where the pending request exists. The installation (“Complete Certificate Request”) must happen on that specific server.

Q4: Does the downloaded certificate file contain my private key?
A: No. Standard certificate files provided by CAs (.crt, .cer, .p7b) only contain the public certificate(s) and the CA’s signature. Your private key remains securely stored on the server where you generated the CSR, linked to the pending request in IIS. Only if you later export the installed certificate with its private key from IIS (as a .pfx file) will you have a file containing the private key.

Q5: My CA sent me several .crt files (domain, intermediate, root). Which one do I use in IIS?
A: When using the “Complete Certificate Request…” wizard in IIS, you point it to your domain’s certificate file (e.g., yourdomain.crt). You then typically need to import the intermediate .crt file(s) separately into the “Intermediate Certification Authorities” certificate store on the server (using MMC or the Certificate Import Wizard). The root is usually already trusted. Using a .p7b download avoids this extra step for intermediates.