How to change the cert template that IIS 7.5 uses automatically when you choose to “Create Domain Certificate”

certificatecertificate-authorityiis-7.5

In IIS, there is an option to "Create Domain Certificate." This works great except for one problem. The template that this process uses is the "Web Server" template in the CA which has a key with only 1024 bits. I have duplicated this template and then changed the minimum key length to 2048.

I have an Enterprise CA running on Windows Server 2008 R2.

Is it possible to have all the IIS servers in my domain use the new template when going through the "Create Domain Certificate" wizard?

Best Answer

IIS's wizard will always use the Web Server template. You can't use the wizard if you want to create a certificate against a different template.

Annoying, huh?

Related Solutions

How to generate a certificate request on Windows Server 2008 for SqlServer 2008 w/o IIS installed

Use OpenSSL. It's a command line based utility that'll generate your CSR for you. It's a 2 liner, literally! Creating your key, and then creating the CSR with that key.

1. Key Generation

openssl genrsa -des3 -out filename.key 2048

This command should create a file with name filename.key in the directory from which the > command is ran. The output will be similar to:

Generating RSA private key, 2048 bit long modulus

Enter pass phrase for filename.key: 
Verifying - Enter pass phrase for filename.key:

Choose and enter a passphrase for filename.key and remember it because it will be needed later. Successful outcome of this use case is the key file generation. File filename.key can be viewed by using Notepad on Windows or text editor on Unix/Linux.

2. CSR Generation

openssl req -new -key filename.key -out filename.csr

where filename.key is the file generated previously. This command should create a file filename.csr that contains Certificate Signing Request. The output will look similar to:

Enter pass phrase for filename.key:

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank.

This procedure should create file filename.csr that contains CSR in PKCS#10 format. This CSR needs to be delivered to the CA administrator.

Successful outcome of this use case is CSR file generation. File filename.csr can be viewed by using Notepad on Windows or text editor on Unix/Linux. The content of the file should be similar to:

-----BEGIN CERTIFICATE REQUEST-----

MIIB/TCCAWYCAQAwgYExCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENv
bHVtYmlhMRIwEAYDVQQHEwlWYW5jb3V2ZXIxETAPBgNVBAoTCFRlc3QgT3JnMRUw
...snip...

How to Grant IIS 7.5 access to a certificate in certificate store

Create / Purchase certificate. Make sure it has a private key.
Import the certificate into the "Local Computer" account. Best to use Certificates MMC. Make sure to check "Allow private key to be exported"
Based upon which, IIS 7.5 Application Pool's identity use one of the following.
- IIS 7.5 Website is running under ApplicationPoolIdentity. Using Certificates MMC, added "IIS AppPool\AppPoolName" to Full Trust on certificate in "Local Computer\Personal". Replace "AppPoolName" with the name of your application pool.
- IIS 7.5 Website is running under NETWORK SERVICE. Using Certificates MMC, added "NETWORK SERVICE" to Full Trust on certificate in "Local Computer\Personal".
- IIS 7.5 Website is running under MyIISUser local computer user account. Using Certificates MMC, added "MyIISUser" (a new local computer user account) to Full Trust on certificate in "Local Computer\Personal".

To add a user to Full Trust of a certificate. Right click the certificate -> All Tasks -> Manage Private Keys

Best Answer

Related Solutions

How to generate a certificate request on Windows Server 2008 for SqlServer 2008 w/o IIS installed

How to Grant IIS 7.5 access to a certificate in certificate store

Related Topic