1

I have generated the CSR request on our windows server ( we need to bind our application hosted on this server for Https) using below commands in keytool:

Keytool -genkey -alias <server name> -keyalg RSA -keysize 2048 -keystore <server name>.keystore

keytool -certreq -keyalg RSA -alias <server name> -file certreq.csr -keystore <server name>.keystore

After this I got one csr and and keystore files, which I forwarded for issuing SSL. The team gave me a zip files as the certificate ( containing one .cer and one .p7b file). Now I am not sure how to use these two files in IIS.

What we have tried so far:

  • Imported the .cer in IIS using Complete Certificate Request option, but the certificate disappears from IIS when we check again.
  • Imported the .p7b in IIS using Complete Certificate Request option, but the certificate disappears in this case also.
  • Imported the .cer in certificate store in personal certificate, but it does not appear in IIS settings.
  • Imported the .p7b in certificate store in intermediate certificates, but it does not appear in IIS settings.
  • Imported the .cer in certificate store in personal certificate and .p7b file in intermediate certificates, but no certificate appears in IIS settings.
  • Tried to export the certificate in PFX format from certificate store, but while export, the pfx option is greyed out.
Raja Dorji
  • 121
  • 1
  • 1
  • 5
  • Is this requesting certs from a public CA, or an internal CA? Maybe even ADCS? If public, look at the instructions of the provider. If internal, probably click the right options in IIS Manager. – AndrePKI Dec 09 '18 at 09:18

2 Answers2

3

Windows has it's own tool for creating certificate requests. You can use the rather clumsy certreq or the much easier Management Console (Add Certificates plugin for the Computer account on Server 2008R2 and earlier, or run certlm.msc on Server 2012 and later).

In addition to the certificate returned from the CA, you also need the private key installed on the end-entity. In your case, that private key is within the keystore you used when running keytool and therefore inaccessible to Windows.

You have two options:

  • Import the new certificate into the keystore and export both it and the private key as a PKCS#12 (.pfx), which you can then import into Windows.
  • Use the Microsoft tool to generate a new request and have that signed by your CA. When you import the returned certificate into Windows it'll match up with its private key and you can use it in IIS.

If this is an internal CA, I'd go for the latter option. However, an external CA may charge you for another certificate, so you need to decide what is the most cost effective resolution.

If you decide to go with the former and import the newly signed certificate to your keystore, use something like:

keytool -importcert -file certificate.cer -keystore <server name>.keystore -alias <server name>

Then convert the keystore to a PKCS#12, which you can import to Windows, with:

keytool -importkeystore -srckeystore <server name>.keystore -destkeystore <server name>.pfx -srcstoretype JKS - deststoretype PKCS12 -deststorepass <new password>

You will need Java 8 or later to run the command above.

Any intermediate certificates should also be sent to you. That's probably what is in the p7b file (although you haven't stated it's contents). They should be imported into Windows' Intermediate Certification Authorities store, which you seem to have done already.

Once you have your *.pfx file import it into the server's Local Machine certificate store (don't waste time with the IIS MMC snap-in).

Start certlm.msc (W2K12 or later) or add the Certificates MMC snap-in configured for Computer accounts and Local computer (for W2K8R2 or earlier). Right click on the Personal store and import the certificate. If you receive any additional certs within the *.pfx file, move them to the Intermediate Certification Authorities store (for sub CA certs). Otherwise import them separately to that store.

garethTheRed
  • 4,009
  • 13
  • 20
  • 2
    This is correct answer. There is no need to use keytool on Windows. Regarding solutions, I would go with 2nd option. CAs often do not charge when you are re-requesting the certificate for the same subject, so this option should be ok. – Crypt32 Dec 09 '18 at 08:07
  • Hi @garethTheRed, thank you for your answer. I would like to try the first option first as the second option of getting another cert will take long time by the team. Can you please share any link or instructions to import certificate into keystore and then export as pfx. That would be really helpful. – Raja Dorji Dec 09 '18 at 08:49
  • 1
    It is also common to use IIS Manager directly, https://www.digicert.com/csr-ssl-installation/iis-7.htm – Lex Li Dec 09 '18 at 19:32
  • Hi @garethTheRed, after importing the cer in keystore, its showing privateKeyEntry and trustedCertEntry in keystore, and while trying to exporting to pfx, only privateKeyEntry is exported, not the newly added trustedCertEntry Problem importing entry for alias .mhf.mhc: java.security.KeyStoreExc eption: TrustedCertEntry not supported. – Raja Dorji Dec 10 '18 at 12:57
  • Java version is 7. I found this https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#KeystoreFormats seems like it does not support storing trustedcertentry in PFX. Could not find any workaround yet. Do you have any suggestions. – Raja Dorji Dec 10 '18 at 15:38
  • Took the files on my local system with java 8 and exported pfx. Copied the pfx back to server. Now after importing pfx in IIS from Server Certificates->import, when i try to bind the same, gets error A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520) – Raja Dorji Dec 11 '18 at 14:16
  • Also, in keystore content, after importing the cer in it, privatekey alias is hostname and trustedCertEntry is hostname.mhf.mhc. While importing the cer in keystroe i got 'certificate added' unlike mentioned here in first comment https://serverfault.com/questions/809695/java-security-keystoreexception-trustedcertentry-not-supported#comment1029025_809695 Can this be the cause of the issue? – Raja Dorji Dec 11 '18 at 14:23
  • Thank you for bearing with me and all the help. Tried certlm.msc, and it adds two rows there in personal certificate and able to bind site in IIS with both. I can use site with https. Thanks a bunch. You been a saviour :) – Raja Dorji Dec 11 '18 at 14:41
1

I'm using Windows Server 2012 and IIS 8:

Drop your .p7b file into a folder of your choice. Right click the file then click Install Certificate.

Run certlm.msc Locate the certificate you installed, right click file then click Open. Click Install Certificate. Select Local Machine radio button, Next. Select "Automatically select the certificate store..." click Finish. Click OK. Close the app.

Open IIS, select your Default Web Site then go to Bindings. Set Type = https then select the new certificate you installed above. Save.

Jeff Mergler
  • 145
  • 8