Completing an SSL Certificate Request

Overview

This article documents how to complete a CSR (Certificate Signing Request) for an SSL certificate

Completing the Request

Via Certificate Management

For a SAN certificate, this method is preferred over IIS, as it seems to have fewer issues.

  1. Navigate to server where CSR was generated
  2. Open the Certificate Console. See this article for details how.
  3. Import the certificate into the Personal Certificate Store.
  4. If necessary, edit the certificate's Friendly Name.
  5. In IIS, change the bindings of websites to use the new certificate.
  6. If you need to install the certificate on another server or a load balancer, export the certificate INCLUDING the private key. Be sure to retain the password for later.

Via IIS

  1. Navigate to server where CSR was generated
  2. Navigate to IIS > Server
  3. Double-click Server Certificates
  4. In the right pane, click link: "Complete Certificate Request"
  5. Specify the P7B file
  6. For the "Friendly Name" field specify the main domain name in all lower case

Onto an Amazon Load Balancer

Reference: https://uglyduckblog.wordpress.com/2012/10/21/using-openssl-to-extract-private-key-pem-file-from-pfx-personal-information-exchange/

1. If you haven't done so already, export the certificate from the web server, and include the private key.

2. Use Open SSL (available at OpenSSL.org) to export the private key and the public certificate, as follows.

3. Extract private key from a PFX file and write it to PEM file

"C:\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem

4. Extract the certificate file from the PFX file

"C:\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem

5. Remove the password from the private key file.

"C:\OpenSSL-Win64\bin\openssl.exe" rsa -in privateKey.pem -out private.pem

6. In the AWS Console, navigate to the load balancer of interest (under EC2) and select the "Listeners" tab

7. In the "SSL Certificate" column, click the "Change" link

8. Select the option for "Upload a new certificate"

9. Get the intermediate certificate from the certificate issuer's email or their site.
ResourceURL
Symantechttps://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=INFO1728
Symantec examplehttps://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=INFO2061
GoDaddyhttps://certs.godaddy.com/repository
SSL Converterhttps://www.sslshopper.com/ssl-converter.html — USE THIS TO CONVERT THE ABOVE INTERMEDIATE CERTIFICATES TO PEM FILES AS NECESSARY.

10. Specify a name that includes the current date, then specify the following fields. NOTE: Although the Certificate Chain field is labeled "Optional", you will likely have issues in some browsers or on some devices if you leave it blank.

FieldSource
Private Keyprivate.pem file contents
Public Key CertificatepublicCert.pem file contents
Certificate ChainContents of the intermediate certificate (pem-encoded) file from previous step.

11. Check the SSL certificate installation by using this tool: https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp

Troubleshooting

Resolving an ASN1 Bad Tag Error

Reference: http://blogs.msdn.com/b/webtopics/archive/2009/01/03/asn1-bad-tag-value-met-error-when-processing-a-certificate-request-in-iis-7.aspx

ASN1 Bad Tag Error Message

ASN1 Bad Tag Error Message


If during the above procedure you get the error message "There was an error while performing this action. CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267)", execute the following procedure to resolve it.

  1. Open the Certificate Console. See this article for details how.
  2. Import the certificate into the Personal Certificate Store. At this point the certificate is missing the private key.
  3. Double-click the P7B file and get the thumbprint of the certificate.
  4. Issue the following command on the server: certutil -repairstore my "thumbprint"
  5. When you see the response: "CertUtil: -repairstore command completed successfully" you should have a private key associated. NOTE: You may have to refresh the Microsoft Management Console window to see the private key on the certificate.
  6. The certificate should now be available for bindings within IIS

Binding Multiple Websites to a SAN Certificate

Reference: https://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html

  1. Bind the SSL certificate to the site for the main domain
  2. In a Command Window, navigate to C:\Windows\System32\Inetsrv\ and issue the following command for each Subject Alternative Name on the certificate, where IISSiteName is the name of the site as listed in the IIS Console, and hostHeaderValue is the domain name to bind to.

appcmd set site /site.name:"IISSiteName" /+bindings.[protocol='https',bindingInformation='*:443:hostHeaderValue']

Undocumented IIS Hack for SSL Binding

Reference: https://techontip.wordpress.com/2011/06/06/how-to-configureimport-san-certificate-in-iis-7-x/

If the above procedure doesn't work, there's an undocumented IIS hack that may work.

  1. Open the Certificate Console. See this article for details how.
  2. Navigate to Console Root > Certificates (Local Computer) > Personal > Certificates
  3. Right-click the certificate and select Properties
  4. In the Properties dialog for the certificate, add an asterisk at the beginning of the Friendly Name field. Now when you select the certificate you will able type the host header in the IIS Manager itself (i.e., the Host Name field will be enabled).

Certificate Properties Dialog

Certificate Properties Dialog