Creating a CSR for IIS on Windows


We will be generating the Certificate Signing Request (CSR) through the Microsoft Management Console (MMC) instead of directly from IIS to avoid exporting the private key. Please follow each step closely, a mistake may require you to start over.

In the search engine on the Windows toolbar, type “mmc” and launch the program.

Search_MMC

A window titled “Console” will open. In this window’s toolbar, select File, then select the option Add/Remove Snap in….

image22

On the Available snap-ins list, select Certificates, click Add, then OK.

step2

This will prompt you with another window to select where your snap-in will always manage certificates. Select Computer account then Next.

Screen Shot 2023-04-13 at 11.39.36 AM

Select Local computer, then Finish

Screen Shot 2023-04-13 at 11.39.20 AM

Back in the Snap-ins window, check for “Certificates” under “Console Root” in the “selected snap-ins” list on the right. If it is there, click OK.

step2.4

Click on Certificates found under the “Console Root” Folder on the left panel. Right Click on the Personal folder and navigate to: All Tasks > Advanced Operations > Create Custom Request….

step3

The Certificate Enrollment wizard should appear. Click Next proceeding past the “Select Certificate Enrollment Policy” and “Custom Request” options without making changes.

step3.2

Stop at the “Certificate information” section.

step4

Click on the Details Carrot, then Properties

Step5

In the “General” tab create a Friendly Name and a description. Their purpose is making it easier to managed your certificates. It has no effect on the functionality of the CSR or SSL, so add what will help you the most. Here is a suggestion: domainname-certificateauthority-expirationdate. When done, click Apply.

step6

Select the “Subject” tab. Now you will need to select and add a value for each of the following attributes (Type:), then click Add after each one:

  • Common Name – The domain your SSL is for.
  • Email – Your email address.
  • Organization – The name of your business.
  • Organization Unit – Your team type. Such as IT, Marketing, Social
  • Locality – Your city.
  • State – The state where your business resides.
  • Country – The primary country your business operates in.

Step7

If you’re creating a CSR with Subject Alternative Names (SANs) the option to do so is on this window.

  • If you own a single domain SSL certificate like our No-IP Vital Encrypt certificate, Rapid, or Geotrust SSLs, and you need SSL coverage on both the root domain (yourdomain.com) and www.yourdomain.com you will need to select “DNS” in the Alternative name section and add both yourdomain.com and www.yourdomain.com as a separate DNS value.
  • If you own a Wildcard certificate. For the SSL to cover your root domain along with its sub-domains, you will follow the same steps, except you will only enter your root domain as an Alternative name. (Your common name on the subject tab should be *.yourdomain.com)

In the Private Key tab, select 2048 in the “Key Size” dropdown. Select the option Make private key exportable. Now select sha256 in the “Select Hash Algorithm” dropdown. Click Apply then OK.

step9

You will be taken back to the “Certificate Information” window. Click Next and you will be asked where to save your CSR on your computer. Click Browse and choose somewhere easy to navigate to save it.

step10

Navigate to where you stored your CSR and open the file in notepad. Copy all of –Begin New Certificate Request– down to –End New Certificate Request–.

Screen Shot 2023-04-13 at 11.33.30 AM

Paste the entire CSR text you copied in your No-IP.com account on the SSL Certificates page and click Decode.

Screenshot 2023-10-26 at 11.59.17 AM

If you get an error here there was an issue with the CSR you created and you will have to create a new one. Look up the error on our CSR troubleshooting guide, and correct the error when creating a new CSR.

Finally, complete the SSL Contact Information form and click Confirm.

Screenshot 2023-10-26 at 12.02.33 PM

If No-IP manages your DNS, you only need to wait for your SSL Certificate to get verified. If your DNS is managed elsewhere, you’ll need to add a TXT record to validate your domain. Typically, this takes under an hour but can take upwards of 24 hours to complete. Once verified, you can receive your certificate from the SSL Certificates page in your No-IP.com account using the Certificates Actions dropdown and Download option to the right of your SSL certificate.

Screenshot 2023-10-26 at 12.54.11 PM

Once it’s downloaded, the SSL is ready for installation on your server.