Generating a Server Certificate using IIS 5.1 on Windows XP Professional

Server certificates enable server identification and secure Web communications. The following procedure is used to request and retrieve a generated Server Certificate. For instructions on installing the retrieved certificate see Installing a Server Certificate in IIS 5.1 on Windows XP.

Open the Microsoft Management Console for IIS if it is not already open.
Select the Web site were you wish to install a Server Certificate and right click to open its ‘Properties’. In this example we have selected the ‘Default Web Site’.

When the Web site ‘Properties’ tab pane opens select the ‘Directory Security’ tab and then click ‘Server Certificate’.

The ‘Web Server Certificate Wizard’ will open. Note that this wizard will notify you if there are pending certificate requests (e.g. the result of using this wizard to generate a certificate request in the past). In this case there are none (we going to use the wizard to generate a request). Click ‘Next >’.

The ‘IIS Certificate Wizard’ will open. Keep the default ‘Create a new certificate’ option selected and click ‘Next >’.

The next pane asks if you want to delay your certificate request or send it immediately. Use the default ‘Prepare the request now, but send it later’ option and click ‘Next >’.

The ‘Name and Security Settings’ pane allows you to specify the certificate’s Friendly Name and its bit length. You should change the name (perhaps to your server’s fully qualified domain name or to a name based on its function) and select the desired bit length. At Dartmouth the bit length is 1024 (the default in the wizard). Click ‘Next >’ when done filling in your values.

The ‘Organization Information’ pane allows you to specify your Organization’s name and Organizational Unit’s name (the O and OU fields of the certificate). At Dartmouth the Organization is specified as “Dartmouth College” and the Organization Unit follows departmental boundaries (“PKI Lab” for example). Click ‘Next >’ when done filling in your organization’s values.

The ‘Your Site’s Common Name’ pane allows you to specify the common name for your Web site (the CN field of the certificate). The name specified must be the domain name of your Web server or users will see error messages in their browsers when connecting to the Web site. Click ‘Next >’ when done filling in your Web site’s common name.

The ‘Geographical Information’ pane allows you to specify your Country, State and Locale information (the C, S and L fields of the certificate). Click ‘Next >’ when done filling in your geographical information.

The ‘Certificate Request File Name’ pane allows you to specify the file name and location for the PKCS#10 certificate request the wizard generates. Click ‘Next >’ when done specifying the desired filename and path.

After clicking next above following summary pane is displayed. You should review the information and go ‘< Back’ if there are any errors. Click ‘Next >’ to continue and write the certificate request file.

Click ‘Finish’.

Request a certificate for the web server from your institutional Certificate Authority or from an Internet Certificate Authority such as VeriSign or Thawte.

To use Dartmouth's local CA go to https://collegeca.dartmouth.edu/ManServerEnroll.html and paste in the contents of the file generated above (e.g. certreq.txt). Submit the form, and email the CA administrator that you have sent in a request. When the request is approved (you'll get an email response with instructions to follow), retrieve the certificate with a web browser, and put the PEM encoding of the certificate (copied from the retrieval web page) into a file called server.crt. Note, you do not want the PKCS#7 certificate chain, but rather the single certificate described as "Base 64 encoded certificate."

Install the retrieved certificate; see Installing a Server Certificate in IIS 5.1 on Windows XP.

Top

Back to Web Page Access Control Using PKI
PKI Lab Home

Dartmouth College PKI Lab
Last update: 26 February 2003