SAPO Trust Centre - Generating a SSL CSR for IIS with SAN
1. Open Certificate MMC snap in for your computer 2. Click on Start > Run > MMC > File >Add/Remove Snap In > Select Certificates > Click Add > Select My Computer 3. In the Certificates snap-in, right-click the Personal folder, point to All Tasks, point to Advanced Operations, and then click Create Custom Request. This will start the Certificate Enrollment wizard. 4. Click Next.
5. Click Proceed without enrollment policy, and then click Next. 6. In the Template list, click (No template) Legacy key. For Request format, click either PKCS #10. PKCS #10 is generally accepted by all CAs. Click Next. 7. Click the Details arrow, and then click Properties. You will need to configure all the certificate request options so that the issued certificate will be suitable for TLS/SSL.
8. On the General tab: Leave all fields empty. 9. On the Subject tab:
Before a) In the Subject name area under Type, click Common Name (CN) secure.treasurygov.za. b) In the Subject name area under Value, enter the fully qualified domain name of the server, and then click Add. c) Repeat steps a and b above for each of the following: Organizational Unit (OU) Organization(O) Location (L) State(S) Country Chief Directorate: Information & Communication Technology National Treasury Pretoria Gauteng ZA d) In the Alternative name area under Type, click DNS. e) In the Alternative name area under Value, enter the fully qualified domain name of the server, and then click Add. f) Repeat steps c and d above for each SAN you want to specify. See picture below:
After 10. On the Extensions tab: a) Click the Key usage arrow. In the Available options list, click Digital signature, and then click Add. Click Key encipherment, and then click Add.
b) Click the Extended Key Usage (application policies) arrow. In the Available options list, click Server Authentication and then click Add. c) Basic Constraints, Include Symmetric Algorithms and Custom Extension Definition, leave unchanged/default. 11. On the Private Key tab: a) Click the Cryptographic Service Provider arrow, and verify the following: a) Choose only Microsoft RSA SChannel Cryptographic Provider is enabled. b) Click the Key options arrow. In the Key size list, select 2048 key size. Select the Make private key exportable check box. Do not select either the Allow private key to be archived or Strong private key protection check box.
c) Click the Key Type arrow. Mark the keyset for Exchange and do NOT leave it at Signature (which is the default). d) Click the Key permissions arrow. If the application or service runs as Network Service, grant the Network Service account Read permission. If the application or service that will use this certificate runs as Local System, no permissions changes are required.
12. Click OK. 13. Click Next. 14. Enter a path and file name indicating where the request file will be saved. 15. Select the Base 64 format. 16. Click Finish.