0

Please excuse me if this is a dumb or obvious question, I'm self taught and have not been able to find an exact answer to my question after much Googling and reading through StacEx!

I'm having issues with the process of requesting/purchasing an SSL cert for a public website where the cert is not going to be used in a traditional VM/IIS environment which is what I have experience in managing.

Historically we have just generated the CSR from IIS, requested the cert from our preferred provided with the aforementioned CSR, loaded the Cert back into IIS and let the VM handle the SSL workload.

We're now moving to containerisation in Azure, and are using Azure Application gateway to handle SSL to offload the workload from the container.

My question is how do I generate a CSR for a cert that will only be used in a Firewall/SSL offload scenario, and there is no traditional OS to use to create the CSR?

Digicert (or preferred provider) have CSR creation tools, but they all indicate they should be installed on the intended destination server, which with containers is not technically feasible.

I have been able to successfully export existing SSL Certs off old VMs into AppGateway including Intermediaries just fine. Should I just do the same thing but with a local install of IIS? i.e. generate the CSR in a copy of IIS on my PC, complete the process there, then export the Cert/Private Key into AppGateway as I have done with the old VMs? Or is there a better way?

Thanks in advance for any advice/answers!

Chris Butler
  • 103
  • 3
  • From docs.microsoft.com/en-us/azure/application-gateway/ssl-overview, it looks like it doesn't matter how you get the certificate, you just need to load the entire cert chain (in pfx format) and the private key into Azure Application Gateway. So, it seems like you could create a private key and a CSR using whatever method you're accustomed to (e.g. openssl), submit the CSR to the CA, get the signed cert from the CA, then assemble the chain (ending with the CA-signed cert) into a .pfx file, and load the .pfx file and the private key into Azure Application Gateway, and that should do the trick. – mti2935 Dec 10 '20 at 23:33

2 Answers2

1

I have been able to successfully export existing SSL Certs off old VMs into AppGateway including Intermediaries just fine. Should I just do the same thing but with a local install of IIS? i.e. generate the CSR in a copy of IIS on my PC, complete the process there, then export the Cert/Private Key into AppGateway as I have done with the old VMs?

I would say: yes. As @mti2935 pointed in comments, you can use whatever machine you have to generate CSR using any preferred method or tool. Make sure that private key is exportable. Submit CSR to CA, get issued certificate back, install to certificate store and export certificate and whole chain to PFX. You even don't need IIS, tiny INF file and two certreq commands will do the job. For example, create the following INF template:

[NewRequest]
Subject = "CN=www.example.com"
KeySpec = 1
KeyLength = 2048
MachineKeySet = False
Exportable = TRUE

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=example.com&"
_continue_ = "DNS=www.example.com&"

then call:

certreq -new .\inftemplate.inf .\outputcsr.req

Upload outputcsr.req to CA and retrieve issued certificate. Then run the following command:

certreq -accept .\issuedcert.cer

and export certificate to PFX using Windows Certificates Manager (certmgr.msc) or using certutil:

certutil -user -exportpfx my "IssuedCertSerialNumber" .\ssl.pfx
Crypt32
  • 5,750
  • 12
  • 24
  • Thank you for the suggestions, while this is certainly a valid answer (and I have marked as so) I'll probably use KeyStore Explorer as suggested below as I'm already familiar with this tool :) – Chris Butler Dec 15 '20 at 23:31
0

Normally CAs cannot issue certificate without your CSR. There are many tools to generate a key pair and a CSR. You can use any tool that you like.

If you use Windows, you may prefer GUI based tools. Then I would recommend to consider KeyStore Explorer: You generate a key pair, then generate a CSR and send it to your preferred CA.

mentallurg
  • 8,536
  • 4
  • 26
  • 41
  • Thank you for your suggestion, I already use KeyStore Explorer for removing the Root Cert and creating FPX files when I occasionally receive improperly created files from external sources, will look into using this for CSR generation going forward :) – Chris Butler Dec 15 '20 at 23:33