Adfa

Offline certificate creation with Windows Server 2008 CA

Published: 10/20/2012 1:25:57 PM

I recently faced the task to submit an offline certificate request from IIS to a CA running on Windows Server 2008. Since there were some tricky bits in completing this task I decided to document the steps I took.

  1. Open IIS Manager and double-click the "Server Certificates" icon.
  2. Click the "Create Certificate Request..." link in the Actions panel.
  3. You will now be asked to enter information such as common name and organization for the certificate. Enter suitable information and press "Next" when done.
  4. Next step is to specify the cryptographic service provider. Select a suitable provider and bit length of the encryption key and press "Next" to continue.
  5. The final step in the request wizard is to specify a file name for the request. The file extension ".req" can be used for this file. Press "Finish" to complete the wizard.
  6. Now that the actual request is created we need to submit it to the CA. To do this, make sure that the file is accessible from the CA (for example by copying it to the file system) and start the Certification Authority administrative tool. Once started, right-click on the CA in the left-hand tree and select "All Tasks" > "Submit new request..."
  7. Select the request file that you created previously.
  8. The certificate request should now appear under the "Pending Requests" node. Please note that I have re-arranged the columns in the screenshow below to show "Request ID" and "Request Common Name", your columns may be arranged differently.
  9. After you have inspected the request and determined that it is valid, you will have to issue it. To issue a certificate, right-click on the request and select "All Tasks" > "Issue".
  10. The certificate is now issued by the CA, but the IIS still don't know this. We need to return the created certificate to the IIS in order to complete the request. To extract the certificate from the CA, we must open a command prompt as Administrator and execute the following command:
    certreq.exe -Retrieve [Request ID] [certificate output path]
    The [Request ID] is the id your request get in the CA when you submit it (see step 8). The [certificate output path] is the path where the extracted certificate will be placed after the command completes.
  11. If you are asked which CA you want to use, select the appropriate one and press "OK".
  12. If the extract succeded you will get information that the certificate was retrieved, like this.
  13. Transfer the extracted certificate back to the server running IIS and return to the IIS Manager. In the "Server Certificates" feature, select the "Complete Certificate Request..." link in the Actions panel.
  14. Select the certificate file that was transferred from the CA and enter a friendly name. Press "OK" when done.
  15. The new certificate should now appear in the list of server certificates.

Got comments? Post them here!

Name:

Name is optional but recommended.
E-mail:

E-mail is optional and will not be shown in the comment. It will only be used if the comment requires me to contact you directly.
Comment:
Enter text:
Recent posts

2/21/2015
Working with GPIO in C# on Raspberry Pi 2

1/29/2014
Using Sony SmartTags with a Nokia Lumia

11/23/2013
Client certificate trouble in IIS

6/12/2013
Deploying web applications with TFS and MSBuild

6/8/2013
WebForms UnobtrusiveValidationMode requires a ScriptResourceMapping


Blog archive
February 2015 (1)
January 2014 (1)
November 2013 (1)
June 2013 (2)
February 2013 (2)
January 2013 (2)
November 2012 (2)
October 2012 (2)
September 2012 (4)

Popular tags
Security (5)
IIS (4)
Troubleshooting (3)
MVC (2)
TFS 2012 (2)