Installing a new certificate on IIS running on Server Core

Step 1: Create a request.inf file from below

;--- request.inf ---

[Version]
Signature="$Windows NT$"

[NewRequest]
; Replace Country with the 2-letter ISO code for your country
; Replace State with your state or province, without abbreviation
; Replace City with your city
; Replace Organization with your company
; Replace Organization_Unit with your department, or remove OU=Organizational_Unit entirely
; Replace www.example.com with the hostname you're requesting a certificate for
; For a wildcard SSL certificate, this would be *.example.com
Subject = "CN=www.example.com, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country"
; Key Exchange - for encryption
KeySpec = 1  
; 2048 bits minimum, 3072 or 4096 are valid too
KeyLength = 2048
; Needed if you need to export the certificate to another server
Exportable = TRUE
; Indicates a server certificate, not a user certificate
MachineKeySet = TRUE
SMIME = False
UserProtected = FALSE
; Generate a new private key
UseExistingKeySet = FALSE
; RSA key
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

ProviderType = 12
; Standard of CSR's
RequestType = PKCS10
; Digital signatures and encryption
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
; Server authentication
OID=1.3.6.1.5.5.7.3.1

;------------------------------

After editing this create the request:

certreq -new request.inf request.csr

Now that you have created the request, submit it to your certificate authority. If you are running your own on windows, try the following:

certreq -submit -attrib "CertificateTemplate:WebServer" "[path to your request.inf file]"

Save the new certificate as request.cer (or whatever you want to name it)

Import this certificate to your server for future use.

certreq -accept request.cer

Note down the thumbprint value, you will need it in the next step. Also, this does not give you the option to put it into a specific certificate store location. Instead it will put it into the Personal store of the local machine designated as: "Cert:\LocalMachine\My" below.

Now all that's left is to set the binding. If you haven't changed anything on a default install, there will be no https binding. So we just create a new one.

   1 New-IISSiteBinding -Name "Default Web Site" -BindingInformation "*:443:[hostname]" -CertificateThumbPrint "[fingerprint of cert]" -CertStoreLocation "Cert:\LocalMachine\My" -Protocol https

Note replace [hostname] with your fully qualified domain name. E.g.

   1 New-IISSiteBinding -Name "Default Web Site" -BindingInformation "*:443:cptr230a.scot.local" -CertificateThumbPrint "[fingerprint of cert]" -CertStoreLocation "Cert:\LocalMachine\My" -Protocol https

Back to Lab 07

IISInstallCertificateFromCommandLine (last edited 2021-10-28 15:46:15 by scot)