Creating a CSR for IIS on Windows | Support

By the end of this tutorial, you will have created your CRS for IIS.

We will be generating the Certificate Signing Request (CSR) through the Microsoft Management Console (MMC) instead of directly from IIS to avoid exporting the private key. Please follow each step closely, a mistake may require you to start over.

Step 1: Launch the Microsoft Management Console (MMC)

In the search engine on the Windows toolbar, type “mmc” and launch the program.

Step 2: Open “File” > “Add/Remove Snap In…”

A window titled “Console” will open. In this window’s toolbar, select File, then select the option Add/Remove Snap in….

Step 3: Add the “Certificates” Snap-In

On the Available snap-ins list, select Certificates, click Add, then OK.

Step 4: Select “Computer Account”

This will prompt you with another window to select where your snap-in will always manage certificates. Select Computer account then Next.

Menu for managing certificate in Microsoft Management Console

Step 5: Select “Local Computer”

Select Local computer, then Finish

Selecting “Local Computer” within the certificate management menu in Microsoft Management Console

Step 6: Confirm Addition of “Console Root”

Back in the Snap-ins window, check for “Certificates” under “Console Root” in the “selected snap-ins” list on the right. If it is there, click OK.

step2.4

Step 7: Open “Console Root” > “Certificates” > “Personal”

Click on Certificates found under the “Console Root” Folder on the left panel. Right Click on the Personal folder and navigate to: All Tasks > Advanced Operations > Create Custom Request….

The menu for creating a custom request in Microsoft Management Console

The Certificate Enrollment wizard should appear. Click Next proceeding past the “Select Certificate Enrollment Policy” and “Custom Request” options without making changes.

The opening screen of the Certificate Enrollment Wizard in Microsoft Management Console

Step 8: Update “Certificate Information” in the Certificate Enrollment Wizard

Stop at the “Certificate information” section.

The “Certificate Information” window in Microsoft Management Console’s Certificate Enrollment Wizard

Step 9: Add a Name and Description for Your Certificate

Click on the Details Carrot, then Properties

In the “General” tab create a Friendly Name and a description. Their purpose is making it easier to managed your certificates. It has no effect on the functionality of the CSR or SSL, so add what will help you the most. Here is a suggestion: domainname-certificateauthority-expirationdate. When done, click Apply.

The “Certificate Properties” window in Microsoft Management Console

Step 10: Provide Name, Email, and Location Info

Select the “Subject” tab. Now you will need to select and add a value for each of the following attributes (Type:), then click Add after each one:

Common Name – The domain your SSL is for.
Email – Your email address.
Organization – The name of your business.
Organization Unit – Your team type. Such as IT, Marketing, Social
Locality – Your city.
State – The state where your business resides.
Country – The primary country your business operates in.

Selecting a country in the “Certificate Properties” window in Microsoft Management Console

If you’re creating a CSR with Subject Alternative Names (SANs) the option to do so is on this window.

If you own a single domain SSL certificate like our No-IP Vital Encrypt certificate, Rapid, or Geotrust SSLs, and you need SSL coverage on both the root domain (yourdomain.com) and www.yourdomain.com you will need to select “DNS” in the Alternative name section and add both yourdomain.com and www.yourdomain.com as a separate DNS value.
If you own a Wildcard certificate. For the SSL to cover your root domain along with its sub-domains, you will follow the same steps, except you will only enter your root domain as an Alternative name. (Your common name on the subject tab should be *.yourdomain.com)

Step 11: Select “Private Key” Size 2048

In the Private Key tab, select 2048 in the “Key Size” dropdown. Select the option Make private key exportable. Now select sha256 in the “Select Hash Algorithm” dropdown. Click Apply then OK.

Selecting key size in Microsoft Management Console’s “Certificate Properties” menu.

Step 11: Save Your CSR

You will be taken back to the “Certificate Information” window. Click Next and you will be asked where to save your CSR on your computer. Click Browse and choose somewhere easy to navigate to save it.

The file naming window within Microsoft Management Console’s “Certificate Properties” menu.

Step 11: Copy Your Stored CSR

Navigate to where you stored your CSR and open the file in notepad. Copy all of –Begin New Certificate Request– down to –End New Certificate Request–.

A CSR opened as a Notepad document

Step 12: Add Your CSR to Your SSL Certificates Page

Paste the entire CSR text you copied in your No-IP.com account on the SSL Certificates page and click Decode.

Note: If you’re not using No-IP, these final steps may look different.

If you get an error here there was an issue with the CSR you created and you will have to create a new one. Look up the error on our CSR troubleshooting guide, and correct the error when creating a new CSR.

Step 12: Provide SSL Contact Information

Finally, complete the SSL Contact Information form and click Confirm.

The SSL Contact Information form in No-IP’s DNS platform.

If No-IP manages your DNS, you only need to wait for your SSL Certificate to get verified. If your DNS is managed elsewhere, you’ll need to add a TXT record to validate your domain. Typically, this takes under an hour but can take upwards of 24 hours to complete.

How to Receive Your Completed SSL Certificate

Once verified, you can receive your certificate from the SSL Certificates page in your No-IP.com account using the Certificates Actions dropdown and Download option to the right of your SSL certificate.

SSL Download option in No-IP UI

Once it’s downloaded, the SSL is ready for installation on your server.