Generate CSR in IIS & Problems with it
CSR Generation Process in IIS
Following are the steps that you have to perform while generating CSR:
In order to deploy/Install certificate in IIS, you can generate CSR in IIS server. Following are the steps to install Certificate in IIS:
1. To Generate CSR in IIS. Please login to server with Administrative Rights or you need to run IIS Manager with Administrative Rights using Runas option
2. Open IIS Manager or Internet Information Service Manager
3. In the server’s Home page under the IIS section, double-click Server Certificates.
4. Click on “Create Certificate Request”
Once you click on “Create Certificate Request” Button it will Open “Request Certificate” Wizard which “Distinguished Name Properties” page where you must fill the following information:
a. Common Name: Name of Domain or FQDN that you want to secure using SSL certificate.(e.g. www.testdomain.com)
b. Organization: Organization Name / Company Name that you want to get certificate. Certificate Authority Validates this Organization (e.g. My Test Company Ltd)
c. Organization Unit: Department for which this website project is running. (e.g. IT/HR/Sales/Marketing)
d. City/Locality: Put City/Locality name as per Legal Documents of company/ organization(e.g. Ahmedabad)
e. State/Province: Put State/province name as per Legal Documents of company/ organization (e.g. Gujarat)
f. Country/region: Put State/province name as per Legal Documents of company/organization (e.g. India/IN)
Once, above Information is filled click on “Next”
6. Now you will be at “Cryptographic Service Provider Properties” page in “Bit length” Section Select “2048” and Click “Next”
Above steps will Generate private key and CSR (Certificate Signing Request) on your IIS web server.
Problem with CSR Generated in IIS
Error in CSR Generated at IIS Server:
1. Each server has different methods to generate private key and CSR. When you generate CSR on servers you will get ASN.1 (Abstract Syntax Notion One) while generating CSR and private key. This ASN.1 sometimes provide some vital information to the person who has your CSR.
2. While reviewing one CSR today generate using IIS on Windows Server. I found that while analyzing ASN.1. CSR can disclose some vital information regarding network they are as below:
a. Username using which the CSR was generated,
b. Active Directory domain name if machine is part of domain
c. Hostname where machine is generated
Following is my test CSR:
— — — — — BEGIN NEW CERTIFICATE REQUEST — — — — — MIIEeDCCA2ACAQAwgYIxCzAJBgNVBAYTAklOMRAwDgYDVQQIDAdHdWphcmF0MRIwEAYDVQQHDAlBaG1lZGFiYWQxHDAaBgNVBAoME015IFRlc3QgQ29tcGFueSBMdGQxEjAQBgNVBAsMCU1hcmtldGluZzEbMBkGA1UEAwwSd3d3LnRlc3Rkb21haW4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn7Ybr3gmxP7x+E1lO75xF2lNyWBKdZXzQ0VLVQtD9NTVpEGZFvpL2z4rFzPvLstJfSHGOGOiZ5UhkXZWeNSw58Ld7KH+Cpf0Jj5i3ymTANwttQOqwGj+NX2CFmrA5ZUPP8ptctb1lPDG3clNEeQ03SwEI5uLFFFWStOqJYa+4zTOXZQfFHAOW5t4K/NhFxgcOdPlFMCSk7k+Inb2Frxz9zhPo+GghdsZxlJyDGjIpDRSQ7U0VAVUGfV/T3QM+8ucbaWTBxpWrbrD3OmMiLszzqg7D1+pmsV4k0nekNiNgVHqXTwx/wy4rKS714gr8gz+GWWZtJBotnzqNFmMrluMOQIDAQABoIIBrjAcBgorBgEEAYI3DQIDMQ4WDDEwLjAuMTcxMzQuMjBIBgkrBgEEAYI3FRQxOzA5AgEFDA9ERVNLVE9QLUpEUkQ3UTMMFkRFU0tUT1AtSkRSRDdRM1xiaGFyYXQMC0luZXRNZ3IuZXhlMHIGCisGAQQBgjcNAgIxZDBiAgEBHloATQBpAGMAcgBvAHMAbwBmAHQAIABSAFMAQQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIDAQAwgc8GCSqGSIb3DQEJDjGBwTCBvjAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0lBAwwCgYIKwYBBQUHAwEweAYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUyFP21yNjreXU1vs3wPWue4HEiq4wDQYJKoZIhvcNAQEFBQADggEBAF77dWqnJoQjwnieTiEY7O7cKzjtDz8s244eF4a/Eo3NPB1TeLYLakqJlCsr/lOUhadje7rQj6x3QRIQxYyjI2ybeQsqPtuzoiBp67RvJ4ajMarLQjRVhEw/5bUAUQgD++rq4uOZlqbXrYd80UeQriofFw07NJpDsz2lrCjQKOcQzOVUGVgSmD+3MXffzyL4fanL9prJCbLJhV6zvkJGfGa5xdSgwvR6WuE3lzk4mjO4hrCSJEsztk6HDbnb8Z/IZCut5/L/JfVTXia5FiPpPrV8Jhbiuy7ttIrqNng4zhIcnP5seXwB48jWLe0j/2rfiMk+6u4Da8/XkZaqjfEFuOs=
— — — — — END NEW CERTIFICATE REQUEST — — — — —
Command to Get Information
Once, you get above CSR, copy it in any linux machine or install OpenSSL on your PC and run following command:
openssl.exe asn1parse -in mytest.csr
You will get following result when you parse CSR generated in Windows IIS. So, when someone says private key should be private in case of Windows, your CSR should be private as well. CSR generated in Windows can revile all very important and vital information regarding your IT Infrastructure that may help attackers to attack your IT environment.
You can see that when I run above command with CSR that I generated in IIS, it reviled following information:
Solution to this problem:
Currently, I can think of only solution for this one is. You can use OpenSSL on Windows to generate CSR that would help you to solve this problem but it is long process and also you need to create PFX file to install certificate in IIS server.
18 Years Experienced Professional in Cryptography, PKI, Information Security, Data Security, SSL Certificate, TLS Certificate, Cloud Security, Website Security, Email Security, Cloud HSM, IT Infrastructure Management, Cloud Management and Customer Support. Certified in Comptia Security+, EC Council CEHv10, MCSE, ITILv3. Domain Investor by Hobby owns 150+ domains.