Every couple years right around this time of year I get the wonderful task of taking care of a handful or so certificate requests that need to be created due to expiry. Not that this is an overly difficult job, nor is it very technical at all – it’s a simple thing really! That said we have a number of different platforms and OSes in which we need to generate these CSRs from – some Windows and IIS, some Linux and Apache – even some Apache on Windows! It can get to be quite cumbersome at times… Again, this isn’t the most technical of things but I’ve made a promise to myself to blog more about the day to day sysadmin type stuff from now on – so with that, let’s take a quick look at how we generate a CSR on both Windows (running IIS) and Linux (running Apache/OpenSSL).
Windows and IIS
First up is IIS and Windows. Now I know there is ways to do this through command line using the “certreq” command – however I refuse to learn this 🙂 Honestly, I want to see Microsoft take this functionality and build some PowerShell cmdlets around it – when they do that I’ll explore it – but for now, it’s all through the GUI for me!
In order to generate a CSR for certificate hosted on IIS on Windows we need to go into the IIS Manager. From here, we simply select your server name from the left-hand side and click the “Server Certificates” icon in the middle management pane as shown below
From there, simply click the ‘Create Certificate Request in the Actions pane…
Now we should be presented with a dialog box requiring a little bit of information. If you want a little explanation of each attribute required for the CSR have a look in the Linux section below – this information is common between both platforms. So, enter your common name and company information and click ‘Next’.
The next few screens just prompt for security settings and encryption algorithms – go ahead and fill those out accordingly. Most commonly we see 2048 encryption – at least that is what we have been using :). After a few nexts/finish you should be prompted to save your file – go ahead and do so! It’s the text inside that file in which you will need to give to the authority issuing your certificate – it should look similar to that which is shown below in the Linux section…
Linux and Apache
To be honest, this is more of my comfort zone when generating CSRs. Now there are many ways to do this within Linux using the openssl command – and also quicker ways as you can pass most of the information required as parameters onto the command line. That said, I’ve always opted to enter this information in at a prompt – so my general command I issue is as follows….
openssl req -new –newkey rsa:2048 -nodes –keyout domain.key -out domain.csr
Keep in mind, you will need to enter the following information into the CSR…
- Country Name – 2 letters that represent the country where your organization is registered, see here. In my case, CA
- State or Province Name – Full representation of the Province/State in the above country. In my case, Ontario.
- Locality Name – Full representation of the city in the above Province/State. In my case, Toronto.
- Organization Name – The full representation or legal name of your organization. In my case, mwpreston dot net
- Organizational Unit Name – A department or a “doing business as” name if you have one. In my case, I leave this blank.
- Common Name – the fully qualified domain name, or FQDN of the domain you are trying to secure. In my case, mwpreston.net.
- Email Address: – an email contact in regards to the certificate. In my case, firstname.lastname@example.org.
- Challenge Password – an optional password/phrase that can be attached to the CSR and certificate. This provides additional security. I don’t often provide this information.
- Optional Company Name – just what it says, another field to place in yet another company name. I also often leave this blank.
Once complete we should be left with two files, our .key file which is used on our server hosting the certificate. We will have to point apache to this key file along with our certificate after we receive it from the trusted authority. Also, our .csr file, which we will need in order to obtain the mentioned certificate. If we open up our .csr file we will see our certificate request in plain text. Quite often we need to copy/paste this text into the interface provided by whoever is issuing the certificate. In the end, it should look similar to what is shown below….
—–BEGIN CERTIFICATE REQUEST—–
Bunch of garbly gook!
—–END CERTIFICATE REQUEST—–
And that’s it! Like I said before not the most technical of posts but surely someone can find some use in it – even if it’s me! Thanks for reading!