Cách tạo chữ ký số SSL cho HTTPS của IIS 7.5 theo dạng SAN (multiple Domain)


1. How to create a SAN certificate signing request for IIS web server?

  • Open Certificate MMC snap in for your computer

    • Click on Start – Run – MMC – File – Add/Remove Snap In – Select Certificates – Click Add – Select My Computer
  • Click on Personal – All Tasks – Advanced Operations – Create Custom request

  • Click next in Certificate Enrollment Wizard’s welcome window
  • Select “Proceed without enrollment policy” under Custom Request & click next
  • In Custom Request window Select (No template) Legacy key & PKCS #10 as request format
  • And Click Next

  • In Certificate Information Page click the Details icon then Properties. It will open up Certificate Properties window, where we can define different attributes.

  • Under Private Key, select key size. Over here I just left it as default. You may like to select 4096 for production servers.
  • Under Key Type select “Exchange

  • Under Extension tab select Extended Key Usage; add Server Authentication from the available options.

  • Under Subject Tab we will be defining our multiple DNS names for the certificate
  • From Drop down Subnet Name section select Common Name & type the value. Preferably the primary domain name & then click Add.
  • Under Alternative Name select DNS type all alternate DNS Names & add them.

  • Under General Tab type a friendly name.
  • Better to keep add a * in front of the friendly name now. It will help you to bind the certificate from IIS graphical user interface to all websites using same IP & port 443. If you don’t do this now, no worries, you can do it later or you can use Commadline tool to bind this cert. I have discussed the same in certificate installation/import post.
  • Click okay & In certificate information window click next

  • Give a file path to save this certificate request 7 select Base 64 as file format

  • It will generate “.req” file, you can open this file using notepad.
  • You use this file to generate your SAN certificate from external public certificate authority or from your internal certificate authority server.
    2. Certificate Requests in Windows Server 2008
Submit Certificate Request

For requests submitted to a public CA simply copy/paste the text from the generated file to that CA’s request form and then wait for the completed .cer file to be sent back and then skip to the next section

image

But for internal requests there are multiple ways to submit them to a Windows CA. Depending on the tools and permissions available some of these approaches may not work in certain environments. If access is prevented for certificate submissions then send the request text file to the appropriate personnel and wait for them to send back the certificate file, then jump to the next section to complete the request.

Assuming that both connectivity to the CA and the appropriate permissions are available then follow these basic steps to submit the request to the Windows CA using certreq.exe from the standard Windows command prompt.

  • From the same server open the standard Windows Command Prompt. (If network connectivity to the CA is not available from this host then copy the request file to the CA server or anther Windows server with access and run these commands from that system.)

Change to the current directory where the new request file was saved (e.g. C:\Temp) and issue the following command:

certreq.exe -submit -attrib “CertificateTemplate:WebServer” newcert.req newcert.cer

The CertificateTemplate attribute can be used to supply the name of whatever the custom template’s name is in the CA, assuming that template was configured in a way that is still compatible with the type of request generated.

In the Certification Authority List pop-up window select the desired Windows CA to submit the request against.

image

The results of the command should indicate a successful request and the resulting certificate file will be written to a new text file in the same directory as indicated in the command (newcert.cer).

image

As the Request ID is displayed in the output above, then the details of the issued certificate can be verified on the CA itself by opening the Certificate Authority administrative tool on the CA server and then browsing to the Issued Certificates container to look for the matching ID.

image

Complete Certificate Request

Before completing the request locate and open the newly generated certificate file (newcert.cer). Notice that the private key description is missing from the General tab information.

Although this appears to look like a ‘certificate’ file it is actually just the public key portion that is generated by the CA, the all-important private key portion is still stored locally on the requesting server and the two items need to be joined together to create an actual functioning certificate pair. Without a valid private key nothing can be decrypted which was encrypted using the public key.

image

Although this appears to look like a ‘certificate’ file it is actually just the public key portion that is generated by the CA, the all-important private key portion is still stored locally on the requesting server and the two items need to be joined together to create an actual functioning certificate pair. Without a valid private key nothing can be decrypted which was encrypted using the public key.

  • From the Action pane of Internet Information Services (IIS) Manager select Complete Certificate Request.

image

  • In the Specify Certificate Authority Response window browse for and select the certificate file (newcert.cer) and provide a Friendly Name for the certificate, then complete the wizard.

image

View the properties of the new certificate and this time the General information will indicate that the private key has successfully been linked to the new certificate.

image

About thangletoan

Hallo Aloha

Posted on 25/08/2013, in CA, HTTPS, Microsoft, Microsoft Certificate Authentication, Microsoft Office 365, SSL, Web Authenticate, Windows Server 2008 DC CA, Windows Server 2008 R2 and tagged , , . Bookmark the permalink. Để lại bình luận.

Gửi phản hồi

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Log Out / Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Log Out / Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Log Out / Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Log Out / Thay đổi )

Connecting to %s

%d bloggers like this: