I've been shown how to generate .csr files by using OpenSSL and have successfully created, converted and installed the signed certificates (.pfx files) onto some of our web servers with IIS 10.
I've now been shown by someone else how to generate .csr files directly from one of our other web servers – using the 'Create Certificate Request' function that is available in IIS 10. However – using this method, I didn't have to create a .pfx file, and I was able to install the downloaded signed certificate onto IIS without having to convert anything. So it was a lot quicker doing it this way – however, I don't understand why this method was used in this instance and not OpenSSL. Is the end result different? Can someone enlighten me please?
Best Answer
If you use the IIS console's Create Domain Certificate... option, you can only request a certificate using Microsoft ADCS's built-in Web Server template. This template has very limited capabilities and does not include the
Subject Alternate Name
extension mandated by all modern browsers and also includes theS/MIME Capabilities
extensions which is not required for web server certificates. As this is a version 1 template you cannot change any of these.If you opt instead to use the IIS console's Create Certificate Request... option you'll create a request which can be saved to disk. You can now submit the request to any CA. If you opt for Windows ADCS you can use the
certreq.exe
utility with the-attrib "CertificateTemplate:<template short name>
option to specify a different template. You can even use some geekiness to add aSubject Alternate Name
extension (or any other extension) to the request, but it takes some effort and an understanding of the internal workings of X.509 certificates!If you use OpenSSL to create the certificate request, you can ask for any field or extensions that OpenSSL is capable of create - which near enough covers everything. You can submit this to the ADCS CA with
certreq.exe
or submit the request to a non-Windows CA. On receipt of the certificate you need to pair it up with its private key to create the PKCS#12 (or PFX) file which you import into the server. This is rather convoluted, but your certificate request can be quite flexible if required.However, an easier option (which it seems you weren't shown) would be to request the certificate using the server (not IIS) certificate management console (
certlm.msc
from the Run dialogue) where you can request a certificate using any enabled template (not just Web Server). If this template is configured correctly by the ADCS admins you'll get a certificate with an appropriateSubject Alternate Name
extension, noS/MIME Capability
extension and the correct key usages for a web server, which you can then simply bind to the website using IIS's console. This is both flexible and convenient.