Back to Posts

Notes for creating an SSL CSR

When you want to buy an SSL certificate from a certificate authority, the first step you need to do is to create an certificate signing request (CSR). Since there are plenty resources on the internet that show how to do that, this blog post is all about notes for small details that may help me do the whole process more easily next time.

  • If you want to buy a wildcard SSL certificate for *.example.com, set it to the CN name: CN=*.example.com
  • By default, CSR that is generated by IIS uses SHA1 to sign the certificate. To force SHA256 usage, you need to use an alternate tool. One tool that is available on Windows is the Certificate Management console. Simply follow instructions in create a csr with sha256 signature algorithm for how to do that. You must select the CNG template. The CSR contains your public key.
  • After you fill in all the details at a certificate provider, it will sign the CSR for you. So where is the private key? The private key is stored on the same machine that you have used to generate the CSR.
  • You need to import the issued public key on the same machine that the CSR was generated to LocalMachine\My store. After the import, you will find a certificate with both public and private key there.
  • Sometimes the issued certificate has a wrong CSP. You can use OpenSSL to change its CSP easily.

Read Next

Generate WSDL without wsdl:import for WSTrustServiceHost