By Some notes on generating Certificate Signing Requests (CSRs) with Subject Alternate Names (SANs) using JANET’s certificate service (https://certificates.ja.net/jcs/)
CSR generation
Create csr.dat as:
[ req ] default_bits = 2048 prompt = no encrypt_key = no default_md = sha1 distinguished_name = dn [ dn ] C = GB O = The University of Kent 0.CN = PRIMARY.example.com 1.CN = SECONDARY.blah.example.com 2.CN = TERTIARY.ad.example.com
Then run:
openssl req -new -nodes -batch \ -keyout PRIMARY.example.com.key \ -out PRIMARY.example.com.csr \ -config csr.dat
… and submit the resulting file (cat *.csr) to JANET
Convert the key to the right format for IIS
IIS only seems to understand PKCS#12 certificates so we need to convert the key and certifictate which are both PEM format.
When the certificate comes back, cat the key and certificate into one file:
cat PRIMARY.example.com.key PRIMARY.example.com.crt >iisserver.pem
Finally export the newly created file in PKCS#12 format
openssl pkcs12 -export \ -out mycert.pfx -in iisserver.pem \ -CAfile ../UKERNA/comodo_chain.pem \ -name "My Certificate"
- comodo_chain.pem is a file containing the certificate chain up the tree (order: TERENA, UTN-USERFirst-Hardware, AddTrust External CA Root)
- The passphrase it asks for is just for armouring the PFX file and is required when importing into the Windows certificate store
Importing into IIS
To install as new: go into the IIS server console, website, properties, document security, Server Cert and install from .pfx
To update: import into the personal store then go into the Website Properties, Document Security, Server Certificate (or Edit?) and replace cert.