How to Generate a CSR for SSL Certificates on Windows

Get Started

If you are requesting a certificate for an application or server that runs Internet Information Services (IIS) on a Windows server in the Texas State data center, you may request that ITAC set up the certificate for you. In this case, please include this request in the CSR field of the Secure Sockets Layer (SSL) Certificate Request

NOTE: ITAC cannot set up the certificate if it is application-based or uses Tomcat or Apache certifications. 


Method 1 - Automatic

These instructions will generate a certificate automatically on a TXST-hosted Microsoft Windows Server running IIS (Internet Information Services) without having to use a request form.

At any time, you may submit a service request to have an IIS certificate automatically generated. Please note that Apache and Tomcat are not supported for automation and require Method 2 for manual signing.

NOTE: All domain names specified must be valid DNS records that resolve to the server you’re running certbot on. 

EXAMPLE: webfiles.txstate.edu can request a certificate for webfiles.txst.edu, but not www.txst.edu.

  1. Open the command line as administrator
  2. Navigate to the win-acme directory below: 

    Cd C:\TXSTSysOps\win-acme

     
  3. Type wacs.exe and hit the enter key.
  4. Select n for Create Certificate.

    windows1
     
  5. Select the IIS website you wish to automate. For this example, we used 1.

    windows2

    NOTE: If the host name field in the IIS binding is empty, then this list will not populate.

    windows3
     
  6. Select all bindings using menu option A.

    windows4
     
  7. Continue with the selection by entering yes.

    windows5
     
  8. Enter yes to open in default application, then enter yes if you agree to the terms of service.

    windows6
     
  9. Enter the TXST email address(es) to be notified about any problems with the certificate automation.

Method 2 - Manual

  1. Launch the Server Manager
  2. Click Tools and select Internet Information Services (IIS) Manager.
  3. In the Connections tab, click the server name for which you want to generate the CSR.
  4. Double-click Server Certificates.
  5. Click on the Actions tab and then click Create Certificate Request....
  6. Enter the following Distinguished Name Properties, and then click Next.

    NOTE: The following characters are not accepted when entering information:< > ~ ! @ # $ % ^ * / \ ( ) ? &Common Name — The fully-qualified domain name (FQDN) — or URL — for which you plan to use your certificate (the area of your site you want customers to connect to using SSL).

    NOTE: An SSL certificate issued for www.coolexample.com is not valid for secure.coolexample.com. If you want your SSL to cover secure.coolexample.com, make sure the common name submitted in the CSR is secure.coolexample.com.
     
  7. In the Organization field, enter Texas State University.
  8. In the Organizational Unit field, leave this field blank.
  9. In the City/Locality, enter San Marcos.
  10. In the State/Province field, enter Texas.
  11. In the Country field, enter US.
  12. For the Cryptographic service provider field, click Microsoft RSA SChannel Cryptographic Provider.
  13. For the Bit Length field, click 2048 or higher, and click Next.
  14. Click , enter the location and file name for your CSR, and then click Finish.
  15. Open the CSR file you just saved and use the contents of this file as your CSR Request.