Installing a new certificate on IIS running on Server Core
Step 1: Create a request.inf file from below
;--- request.inf --- [Version] Signature="$Windows NT$" [NewRequest] ; Replace Country with the 2-letter ISO code for your country ; Replace State with your state or province, without abbreviation ; Replace City with your city ; Replace Organization with your company ; Replace Organization_Unit with your department, or remove OU=Organizational_Unit entirely ; Replace www.example.com with the hostname you're requesting a certificate for ; For a wildcard SSL certificate, this would be *.example.com Subject = "CN=www.example.com, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country" ; Key Exchange - for encryption KeySpec = 1 ; 2048 bits minimum, 3072 or 4096 are valid too KeyLength = 2048 ; Needed if you need to export the certificate to another server Exportable = TRUE ; Indicates a server certificate, not a user certificate MachineKeySet = TRUE SMIME = False UserProtected = FALSE ; Generate a new private key UseExistingKeySet = FALSE ; RSA key ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 ; Standard of CSR's RequestType = PKCS10 ; Digital signatures and encryption KeyUsage = 0xa0 [EnhancedKeyUsageExtension] ; Server authentication OID=1.3.6.1.5.5.7.3.1 ;------------------------------
After editing this create the request:
certreq -new request.inf request.csr
Now that you have created the request, submit it to your certificate authority. If you are running your own on windows, try the following:
certreq -submit -attrib "CertificateTemplate:WebServer" "[path to your request.inf file]"
Save the new certificate as request.cer (or whatever you want to name it)
Import this certificate to your server for future use.
certreq -accept request.cer
Note down the thumbprint value, you will need it in the next step. Also, this does not give you the option to put it into a specific certificate store location. Instead it will put it into the Personal store of the local machine designated as: "Cert:\LocalMachine\My" below.
Now all that's left is to set the binding. If you haven't changed anything on a default install, there will be no https binding. So we just create a new one.
1 New-IISSiteBinding -Name "Default Web Site" -BindingInformation "*:443:[hostname]" -CertificateThumbPrint "[fingerprint of cert]" -CertStoreLocation "Cert:\LocalMachine\My" -Protocol https
Note replace [hostname] with your fully qualified domain name. E.g.
1 New-IISSiteBinding -Name "Default Web Site" -BindingInformation "*:443:cptr230a.scot.local" -CertificateThumbPrint "[fingerprint of cert]" -CertStoreLocation "Cert:\LocalMachine\My" -Protocol https
Back to Lab 07