Creating "Wildcard" Certificate Requests for IIS using the Windows Vista/Server 2008 Certificates MMC plugin

You can use this to generate complex (as well as simple) certificate requests that satisfy pretty nice scenarios. For example, you can add the subject alternative names to the request that match all the web site names your certificate shouild  be used with. This allows you to create a "wildcard" certificate for example to use host headers with SSL/TLS. You can find the additional steps needed to setup http.sys and IIS appropriately here and here.
Notes: Most modern clients support these "wildcard" variants:

  • CN=*.domain.tld <- This is what everyone seem to understand is a wildcard cert... Well it's ONE, but not the only possibility.

  • CN=server1.domain.tld,CN=server.anotherdomain.tld <- Internet Exploere does support this since 6.0 (at least). Other browsers might not!

  • CN=primary.domain.tld; Subject Alternative Names :DNS:primary.domain.tld,DNS:another.mydomain.tld,DNS:whatever.another.domain,... <- You put the "primary name into the Subject.CN attribute and add ALL server names (includig the primary!) as a list into the list of subject alternative names. You need to ensure to add them as DNS types (there is also EMAIL for example plus  other types you also should not use for IIS scenarios).

Here are the steps. You will need to use the "Certificates (Local Computer)" MMC as an Administrator to successfuly execute the enrollment and use  the certificates and keyset for IIS.

If you don’t have an enterprise CA, please don’t search for the “webserver” templates info. It does not help even if it is there.
Creating a custom request is fine. Just make sure that you save it to a file at the end. -> This is the PKCS#10 CSR you need to take to the external CA.

1)      In the MMC, go to the “Personal” folder. Right click, chose all tasks-> Advanced Operations->Custom Request.

a.       Hit “next”

b.      Choose “((no template) Legacy Key” as template

c.       Request Format = PKCS #10 is default and OK.

d.      Hit “next”

e.      Click on “Details” to get  the “Properties button to show and hit that.

f.        Please go over the tabs right to left. This will ensure that you 1st take care of the important functional items before coming to your customizations.

2)      Things to check:

a.       “Private Key” tab: “Key Type” -> Mark the keyset for “Exchange” and do NOT leave it at “Signature” (which is the default).

b.      The above does not apply if you are using a CNG provider. Using a CNG provider is ok to do, but you need to make sure to use an RSA provider or the certificate / keyset will not work for IIS. Choice of the provider is a separate topic which we would need to cover separately. Choosing “legacy key will give us the “right” RSA CSP already for our needs here.

c.       “Key Options” -> Make sure to mark the private key for “allow export” to enable you to backup the completed keyset/cert  package into a PFX (aka PKCS#12) file later. Do NOT check “Strong private key protection” as that will disable the non-interactive use. Uncheck “key archival” if marked as that is a CA function not supported by the commercial CA’s (at least not unless you have a very special agreement with them). Choose the key size you want. Go with the default (1024) if you have no special requirements/recommendations.

d.      “Extensions” Tab -> “Enhanced Key Usage”:  Add the “server authentication” EKU to the list on the right side..

e.      “Subject” tab: Add a CN entry that (of course) must be set to the server name.

f.        Note: If you are using SAN, then ALL names MUST be added there. The CN in that case should be set to the most commonly used server name as some clients might not support SAN (subject alternative name).

g.       “General” tab (optional): add descriptive text that wll later show up in the list to allow easy identification.

h.      Hit “OK” to close the Properties dialog and hit “next”

i.         Enter the wanted filename (i.e. c:\iis-csr.txt) and hit “Finish”.

3)      You now have the data you need to take to the Certifiation Authority (CA), i.e. Verisign, Thawte.etc

4)      Once you get back the certificate from the Certifiation Authority, go to the same folder as before, right click and choose “all tasks” -> import…, find the file and go through the wizard with the defaults.

5)      DONE, enrolment finished. Now you can assign the cert in the IIS MMC and backup the cert+private key into a backup PFX file if wanted.


Skip to main content