Create Server Certificate CSR files for Certificate Generation

Blog Series :

Part 1: Create Server Certificate CSR files for Certificate Generation

Part 2: Create a certificate signing request (CSR) in IIS Manager

Part 3: Generating a CSR through DigiCertUtil

Part 4: Install Certificates on Server

Before you can generate your SSL Certificate, the certificate requester must create a Certificate Signing Request (CSR) for a domain name or hostname on your web server. The CSR is a standardized way to send the issuing Certificate Authority (CA) your public key, which is paired with a secret private key on the server, and provides relevant information about the requester as indicated below:

· Common Name (CN):

This is the Fully Qualified Domain Name (FQDN) of your server (i.e. www.google.com). This must match exactly what you type in your web browser or you may receive a security error.

· Organization Name (O):

The legal name of your company/organization (i.e. Google, Inc.). Do not abbreviate your company name and it should include the corporate identifier such as Inc., Corp, or LLC (if applicable). For DV orders, you can use your personal name.

· Organization Unit (OU):

The unit or division of the company/organization managing the certificate (i.e. IT Department).

· Locality (L):

The city that you are located in

· State or Province Name (ST):

The state or province in which you are located in

· Country (C):

The country in which you are located in

· Email Address:

An email address associated with the company

· Root Length:

The bit-length of the key pair determines the strength of the key and how easily it can be cracked using brute force methods. 2048-bit key size is the new industry standard and is used to ensure security well into the foreseeable future.

· Signature Algorithm:

Hashing algorithm are used by issuing Certificate Authorities to actually sign certificates and CRLs (Certificate Revocation List) to generate unique hash values from files. It is highly recommended that your certificate be signed with SHA-2 as this is the strongest signature algorithm adopted by the industry.

Example CSR

Most CSRs are created in the Base-64 encoded PEM format and include the “—–BEGIN CERTIFICATE REQUEST—–“and “—–END CERTIFICATE REQUEST—–“ lines as the header and footer tags of the CSR.

There Are many ways to Generate CSR from Server.

We are going to see below two methods & difference in between them :

Here we are generating CSR for our SharePoint 2019 Farm Implementation

1. Generating a CSR through Server IIS

If you noticed that in first method we didn't get any flexibility to add SAN entries, so below utility provides more flexibility and options for CSR generation.

2. Generating a CSR through DigiCertUtil

Once you generate the CSR file submit it to Domain team or Certificate team to get Certificates.