When a CSR request is required to be made in order to give a client to produce a CRT certificate for installation.
We will assume we only know certain info about the certificate request and that we are using a Windows server on-site to generate the request. We will also assume that a certificate with additional SANs is required. (subject alternative names).
Resolution.
First, we need to know the FQDN of the servers we want to generate an SSL cert request.
These will include:
Curator Service host
IIS Curator Gateway Host
IIS Streaming host if different to above (not if proxies will be in s3 buckets directly)
Most clients will have an internal FQDN, such as curator01.internal although we can add this as a SAN, we want to create the cert based on the web address the end user will access it against.
Most clients in this scenario will have alias's in DNS to resolve the server for clients/end users and direct hostnames for engineers such as IPV.
We want to use curator.company.com instead of curator01.internal
Since we will be creating a request that can include SANs we will include both addresses but have the focus on the end-user alias over internal.
We also want to add the "wildcard" domain to the SAN list, this is optional, but where wildcards can be made, we want to add them to the SAN list of our cert.
E.g. the wildcard would be *.company.com and not *.internal.com
Be sure to use the correct domain in this scenario, if the alias is curator.ipv.comany.com the wildcard needs to be *.ipv.company.com and not *.company.com. Subdomain prefixes are completely different, so they need to be included.
Once you have determined the name of the cert and the SANs to be associated you will need to get some info more info from the client, typically they will have a requirement for "organisation" or other fields for the certificate that has to be quite specific. Make sure to check this with them, so that when they take the CSR from you, they can generate a CRT/CER correctly.
E.g.
Name (friendly name): curator.company.com
SANs: curator.company.com, curator01.company.internal, *.company.com
Organisation: Company Name, Inc
There may be more fields they want populating, try to make sure these are as accurate as possible, also make a note of these.
Step One:
MMC -> Certificates(Local Computer) -> Right-click on the Personal folder -> All Tasks -> Advanced Operations -> Create Custom Request
Step Two:
Choose the option "Proceed without Enrollment policy", this is select-able!
Step Three:
Leave the Template as default, it may suggest a legacy option, this is also ok, BE sure to choose PKCS#10 as the format though!
Step Four:
In the next window, we want to expand the details drop-down arrow and select the properties button
Step Five:
Next, we want to set up the name or friendly name of our certificate, I recommend using the FQDN you want end users to use when browsing the site/service. So if the Certificate was for curator.company.com, use this as the friendly name. You don't need a description. Please note as you go through this step in full, remember to apply any change before navigating to the next tab. Changes can be lost otherwise.
Step Six:
On the next tab "Subject" we need to do a few things here, but we MUST populate the following:
- Common name: fully qualified domain name for which the certificate is to be issued
- Country: 2-letter country code compliant with ISO 3166. The correct code can be checked here.
- State: name of the state or region; can be the same as the city name
- Locality: city name
- Organization: company name should be specified here
Do this in the subject name section, we will do Alternative shortly after, and populate each part using the drop downs in the subject name section:
which should end up looking like this:
Now we want to add the SANs to the alternative name list, to do so, select type "DNS" and add the values, in our case for curator.company.com, we would add that along with curator.company.internal and *.company.com
If you have any issues adding values to either the subject name or alternative names, typically something referencing X500 formatting, as I did for the organisation value, please note:
Organisation value is: Company Name, Inc
Needs to be entered as: "Company Name, Inc" as the comma is a special character and will result in an error.
Next in the Extensions tab, we want to set the type of key, be sure to apply changes before going to this tab!!
Here we want to leave the settings as pretty default, and just select "Server Authentication" from the drop-down and add it, not client authentication as shown below, I'll probs change this image:
Apply the changes!
In the Private Key Tab we want to set the security level of our certificate and the Provider, by default this should have RSA as the Cryptographic Service Provider from the first section, but depending on the client you can check to see what they may want to use, default, however, should be RSA, so on a typical CSR generation, you won't need to change this value:
Next, expand the Key options, this is very important!
The level of encryption is typically 2048 as the industry standard, this is subject to change and may also be a level the client may want to increase, increasing to higher levels may cause slow web page loading, 2048 is what we are after at the time of writing!
You also want to make sure that you select "make private key exportable"
Click Apply one more time, and then the OK button.
This will return us to the previous window, where we can click next.
Step Seven:
Here we want to save the name of the CSR request, typically I would recommend the same name that you want to identify the CSR as, such as the friendly name of the certificate.
You can select where this CSR file can be saved using the browse button.
Be sure to change the extension name to .csr
e.g. c:\curator.company.com.csr
Also be sure to change the File format to Base 64!!
This concludes CSR creation, however, there is a sub-section we need to consider, especially when working with Windows MMC snap-in requests, and that is the private key.
When making requests in this way the private key that is generated is automatically made on the server you make the request on, this is important if you want to put the certificate on OTHER servers, which will be part of Part Two of the guide, in order to get the private key do the following.
Sub Section, Private Key extraction:
Windows systems do not allow retrieving the private key in plain text.
When an SSL certificate is imported either through MMC or IIS, the matching private key is bound to the certificate automatically, of course, if the certificate is being imported to the same instance the key was generated on.
But if we need to get the private key for example for the certificate installation on another server, there is an option to export the key in a password protected file (PFX or PKCS12 format). To do so, you will need to open MMC Certificates snap-in in the following way:
Win+R > mmc.exe > OK > File > Add/Remove Snap-in > Certificates > Add > Computer account > Next > Local computer > Finish > OK
Then navigate to Certificate Enrollment Requests > Certificates (if the certificate request was not completed) or Personal > Certificates (if the certificate request was already completed) folder, right-click on the certificate entry and click All Tasks > Export to open the export wizard.
This .key file can be used to combine your CER or CRT that is sent back to you from your providers, along with the intermediary certificates to create a PFX cert, that contains both the certificate, the intermediaries, and the private key, so that the certificate can be installed on other servers. This is done for trusting purposes, see Part Two