Use OpenSSL. It's a command line based utility that'll generate your CSR for you. It's a 2 liner, literally! Creating your key, and then creating the CSR with that key.
1. Key Generation
openssl genrsa -des3 -out filename.key 2048
This command should create a file with name filename.key in the directory from which the > command is ran. The output will be similar to:
Generating RSA private key, 2048 bit long modulus
Enter pass phrase for filename.key:
Verifying - Enter pass phrase for filename.key:
Choose and enter a passphrase for filename.key and remember it because it will be needed later. Successful outcome of this use case is the key file generation. File filename.key can be viewed by using Notepad on Windows or text editor on Unix/Linux.
2. CSR Generation
openssl req -new -key filename.key -out filename.csr
where filename.key
is the file generated previously. This command should create a file filename.csr
that contains Certificate Signing Request. The output will look similar to:
Enter pass phrase for filename.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank.
This procedure should create file filename.csr that contains CSR in PKCS#10 format. This CSR needs to be delivered to the CA administrator.
Successful outcome of this use case is CSR file generation. File filename.csr
can be viewed by using Notepad on Windows or text editor on Unix/Linux. The content of the file should be similar to:
-----BEGIN CERTIFICATE REQUEST-----
MIIB/TCCAWYCAQAwgYExCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENv
bHVtYmlhMRIwEAYDVQQHEwlWYW5jb3V2ZXIxETAPBgNVBAoTCFRlc3QgT3JnMRUw
...snip...
Is the certificate you're trying to import in .cer or .pfx format? If it is in .cer format, then it is an answer to a Certificate Signing Request (CSR), and it should be imported on the server where the CSR was created, in order to correctly create the key pair; failing this, you'll end up with a certificate without a private key (which is exactly what is happening).
Where did you create the certificate request? On this server on or another? Where exactly is the "Complete Certificate Request" link you're clicking?
If this indeed is the server where you created the CSR, and you're correctly asking IIS to complete it, then you could have hit this bug: http://support.microsoft.com/kb/959216.
Best Answer
It sounds to me like the certificate request (and therefore the private key)was not generated on your webserver is that correct?
If it is correct then you will need a certificate with a private key in order to install it. This is the certificate in pfx format as you correctly identify.
The .p7b file will not have a private key.
Alternatively you can generate the certificate request yourself using the following mechanism:
CREATE INF file as follows
[Version] Signature="$Windows NT$
[NewRequest]
Subject="etc"
KeySpec=1
Exportable=1
MachineKeySet=TRUE
ProviderName="CSPName"
ProviderType=1
[RequestAttributes]
CertificateTemplate=
Then use the following commands at the command prompt
certreq -new infile.inf reqfile.req //where infile.inf is the file above and reqfile is the output request file
Send this output request to the guys who issue your certificates and you will get the correct p7b back that will install.
Regards
Mark Sutton
http://www.blacktipconsulting.com