Generate CSR in IIS & Problems with it

IIS - Bug

CSR Generation Process in IIS

Steps to Generate CSR in IIS

Following are the steps that you have to perform while generating CSR:

In order to deploy/Install certificate in IIS, you can generate CSR in IIS server. Following are the steps to install Certificate in IIS:

1. To Generate CSR in IIS. Please login to server with Administrative Rights or you need to run IIS Manager with Administrative Rights using Runas option

2. Open IIS Manager or Internet Information Service Manager

3. In the server’s Home page under the IIS section, double-click Server Certificates.

 

Microsoft IIS Server Home

4. Click on “Create Certificate Request”

IIS CSR Generation

Once you click on “Create Certificate Request” Button it will Open “Request Certificate” Wizard which “Distinguished Name Properties” page where you must fill the following information:

a. Common Name: Name of Domain or FQDN that you want to secure using SSL certificate.(e.g. www.testdomain.com)

b. Organization: Organization Name / Company Name that you want to get certificate. Certificate Authority Validates this Organization (e.g. My Test Company Ltd)

c. Organization Unit: Department for which this website project is running. (e.g. IT/HR/Sales/Marketing)

d. City/Locality: Put City/Locality name as per Legal Documents of company/ organization(e.g. Ahmedabad)

e. State/Province: Put State/province name as per Legal Documents of company/ organization (e.g. Gujarat)

f. Country/region: Put State/province name as per Legal Documents of company/organization (e.g. India/IN)

Once, above Information is filled click on “Next

Distinguished Name Properties Window in IIS Server
Distinguished Name Properties Window in IIS Server

 

6. Now you will be at “Cryptographic Service Provider Properties” page in “Bit length” Section Select “2048” and Click “Next”

Cryptographic Service Provider Selection Window in IIS Server

Above steps will Generate private key and CSR (Certificate Signing Request) on your IIS web server.

Problem with CSR Generated in IIS

Error in CSR Generated at IIS Server:

1. Each server has different methods to generate private key and CSR. When you generate CSR on servers you will get ASN.1 (Abstract Syntax Notion One) while generating CSR and private key. This ASN.1 sometimes provide some vital information to the person who has your CSR.

2. While reviewing one CSR today generate using IIS on Windows Server. I found that while analyzing ASN.1. CSR can disclose some vital information regarding network they are as below:

a. Username using which the CSR was generated,

b. Active Directory domain name if machine is part of domain

c. Hostname where machine is generated

Following is my test CSR:

— — — — — BEGIN NEW CERTIFICATE REQUEST — — — — — MIIEeDCCA2ACAQAwgYIxCzAJBgNVBAYTAklOMRAwDgYDVQQIDAdHdWphcmF0MRIwEAYDVQQHDAlBaG1lZGFiYWQxHDAaBgNVBAoME015IFRlc3QgQ29tcGFueSBMdGQxEjAQBgNVBAsMCU1hcmtldGluZzEbMBkGA1UEAwwSd3d3LnRlc3Rkb21haW4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn7Ybr3gmxP7x+E1lO75xF2lNyWBKdZXzQ0VLVQtD9NTVpEGZFvpL2z4rFzPvLstJfSHGOGOiZ5UhkXZWeNSw58Ld7KH+Cpf0Jj5i3ymTANwttQOqwGj+NX2CFmrA5ZUPP8ptctb1lPDG3clNEeQ03SwEI5uLFFFWStOqJYa+4zTOXZQfFHAOW5t4K/NhFxgcOdPlFMCSk7k+Inb2Frxz9zhPo+GghdsZxlJyDGjIpDRSQ7U0VAVUGfV/T3QM+8ucbaWTBxpWrbrD3OmMiLszzqg7D1+pmsV4k0nekNiNgVHqXTwx/wy4rKS714gr8gz+GWWZtJBotnzqNFmMrluMOQIDAQABoIIBrjAcBgorBgEEAYI3DQIDMQ4WDDEwLjAuMTcxMzQuMjBIBgkrBgEEAYI3FRQxOzA5AgEFDA9ERVNLVE9QLUpEUkQ3UTMMFkRFU0tUT1AtSkRSRDdRM1xiaGFyYXQMC0luZXRNZ3IuZXhlMHIGCisGAQQBgjcNAgIxZDBiAgEBHloATQBpAGMAcgBvAHMAbwBmAHQAIABSAFMAQQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIDAQAwgc8GCSqGSIb3DQEJDjGBwTCBvjAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0lBAwwCgYIKwYBBQUHAwEweAYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUyFP21yNjreXU1vs3wPWue4HEiq4wDQYJKoZIhvcNAQEFBQADggEBAF77dWqnJoQjwnieTiEY7O7cKzjtDz8s244eF4a/Eo3NPB1TeLYLakqJlCsr/lOUhadje7rQj6x3QRIQxYyjI2ybeQsqPtuzoiBp67RvJ4ajMarLQjRVhEw/5bUAUQgD++rq4uOZlqbXrYd80UeQriofFw07NJpDsz2lrCjQKOcQzOVUGVgSmD+3MXffzyL4fanL9prJCbLJhV6zvkJGfGa5xdSgwvR6WuE3lzk4mjO4hrCSJEsztk6HDbnb8Z/IZCut5/L/JfVTXia5FiPpPrV8Jhbiuy7ttIrqNng4zhIcnP5seXwB48jWLe0j/2rfiMk+6u4Da8/XkZaqjfEFuOs=

— — — — — END NEW CERTIFICATE REQUEST — — — — —

Command to Get Information

Once, you get above CSR, copy it in any linux machine or install OpenSSL on your PC and run following command:

openssl.exe asn1parse -in mytest.csr

You will get following result when you parse CSR generated in Windows IIS. So, when someone says private key should be private in case of Windows, your CSR should be private as well. CSR generated in Windows can revile all very important and vital information regarding your IT Infrastructure that may help attackers to attack your IT environment.

You can see that when I run above command with CSR that I generated in IIS, it reviled following information:

OpenSSL ASN.1 Detailed Report about Internal Network

Solution to this problem:

Currently, I can think of only solution for this one is. You can use OpenSSL on Windows to generate CSR that would help you to solve this problem but it is long process and also you need to create PFX file to install certificate in IIS server.

Leave a Comment