When publishing a website to the Internet, it is generally a best practice to use an SSL certificate on the website that you acquired from a public Certification Authority (CA). These are the big certificate issuing entities such as Entrust, Verisign, GoDaddy, and so on. It is possible to use your own internal PKI infrastructure to issue SSL certificates that can be exposed to the outside world, but it can be difficult to set up the certificate infrastructure appropriately and securely. As cheap as SSL certificates are, it is worth the investment to have the security of knowing that the certificate you are running on your website is the one and only certificate of its kind, and that nobody else has a chance to get their hands on a copy of your certificate and spoof your website. Modern browsers also have a pre-built list of the public CAs that they trust; this makes using a certificate from one of those public entities even more beneficial, because your user's browsers will automatically trust those certificates without any additional work on the client side.
It is easy enough to log in to one of these CA's websites and purchase a new certificate, but then comes the tricky part. Once purchased, you need to walk through some steps and enter information about your certificate. Easy enough; it asks you for some company information and the name that you plan to use for your site, of course. Then it asks for your Certificate Signing Request (CSR) and gives you either a very large empty text box to paste it into or an upload function where you can upload your CSR directly to them. This is the place where I have watched many new admins struggle to find traction on their next step.
A CSR is a file that must be created on your web server. It contains information that the CA uses when it creates your certificate. When they do this, it binds the certificate to the information in the CSR, ensuring that your certificate is built specifically for your web server. Here, we are going to generate a CSR together, so that you are prepared to handle that screen when you come across it.
We are going to use IIS that is running on our Server 2016 web server to generate a CSR. This server is the only piece of infrastructure that we need running for this task.
In order to request a new certificate from a public CA, you will need to spin out a CSR on your web server. Here are the steps to do so:
Web
.
.txt
) file. Make sure to specify the full filename, including the extension. I have found that if you do not, the file disappears into neverland.
In this recipe, we requested a new SSL certificate from our favorite public Certification Authority. In order to receive a certificate from them, we had to issue a CSR from our web server. Once we have our CSR generated, we simply copy and paste it into the web interface for our CA entity and they give us a new certificate based on that CSR. Once downloaded, the new certificate file can be imported back into the web server, where it is ready for use by our own website.
One note of importance; after you install the new certificate on your server, double-click on the certificate to open it up. You want to make sure that you have a message displaying on the main page of your certificate properties that says You have a private key that corresponds to this certificate. This will display near the bottom of the General tab of the certificate. If you do not see this message, something did not work correctly with the CSR and you will probably have to start the process over to request another new copy of the certificate. Having a private key that corresponds to your SSL certificate is critical to getting your website working properly.
3.15.29.248