How to Generate a CSR on Windows Server
How to Generate a CSR on Windows Server
Introduction
When deploying SSL/TLS certificates on Microsoft Windows Server environments, administrators often need to generate a Certificate Signing Request (CSR). A CSR contains the public key and identifying information required by a Certificate Authority (CA) to issue a trusted certificate.
This guide explains how to generate a CSR on Windows Server using Internet Information Services (IIS). The procedure applies to:
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
The target audience includes DevOps engineers, system administrators, reliability engineers, and IT teams managing enterprise PKI environments.
Problem
Organizations deploying HTTPS-enabled applications on IIS require a valid SSL/TLS certificate. Before requesting a certificate from a CA, a CSR must be generated.
Common operational challenges include:
- Incorrect CSR formatting
- Missing Subject Alternative Names (SANs)
- Weak cryptographic settings
- Losing the private key during the request process
- Uncertainty about where the CSR is stored
Generating the CSR correctly is critical because the resulting certificate will only function with the matching private key generated during the process.
Solution
Generate a CSR Using IIS Manager
Step 1 — Open IIS Manager
Open the Windows Run dialog:
inetmgrOr navigate through:
Server Manager → Tools → Internet Information Services (IIS) ManagerStep 2 — Open Server Certificates
In IIS Manager:
- Select the server name in the left navigation pane
- Open Server Certificates
[Placeholder Screenshot — IIS Manager showing Server Certificates feature]
Step 3 — Start the CSR Wizard
In the right-hand Actions pane:
Create Certificate Request...[Placeholder Screenshot — IIS “Create Certificate Request” action]
Step 4 — Enter Distinguished Name Properties
Fill in the certificate request details carefully.
Example:
| Field | Example |
|---|---|
| Common Name | portal.example.gov |
| Organization | Municipality of Example |
| Organizational Unit | IT Department |
| City/locality | The Hague |
| State/province | South Holland |
| Country/region | NL |
Important Notes
- The Common Name must match the primary hostname.
- Use the official legal organization name.
- Avoid abbreviations unless required internally.
Step 5 — Configure Cryptographic Service Provider
Recommended settings:
| Setting | Recommended Value |
|---|---|
| Cryptographic Service Provider | Microsoft RSA SChannel Cryptographic Provider |
| Bit Length | 2048 or 4096 |
Modern recommendation:
- Minimum RSA key size: 2048-bit
- Preferred for high-security environments: 4096-bit
[Placeholder Screenshot — Cryptographic Provider selection]
Step 6 — Save the CSR File
Save the CSR as a .txt file.
Example:
C:\CSR\portal_example_gov.csr.txtThe file contains a PEM-formatted CSR:
-----BEGIN CERTIFICATE REQUEST-----
MIIC7DCCAdQCAQAwgYsxCzAJBgNVBAYTAk5MMRYwFAYDVQQIEw1Tb3V0aCBIb2xs
...
-----END CERTIFICATE REQUEST-----Verify the CSR
You can validate the CSR using OpenSSL before submitting it to the CA.
Install OpenSSL
Example using Chocolatey:
choco install opensslVerify CSR Contents
Run:
openssl req -text -noout -verify -in portal_example_gov.csr.txtExpected output:
verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject:
C=NL
ST=South Holland
L=The Hague
O=Municipality of Example
CN=portal.example.govAlternative Method — Generate CSR Using PowerShell
For automated environments, PowerShell can generate CSRs without IIS.
Example INF Configuration
Create:
request.infContents:
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=portal.example.gov, O=Municipality of Example, C=NL"
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
HashAlgorithm = sha256Generate the CSR:
certreq -new request.inf portal_example_gov.csrCommon Issues
”ASN1 bad tag value met”
Usually caused by:
- Copy/paste corruption
- Wrong file encoding
- Extra spaces or line breaks
Recommended fix:
- Save CSR as UTF-8 without BOM
- Use Notepad++ or VS Code
Lost Private Key
If the server loses the private key:
- The issued certificate becomes unusable
- The CSR must be regenerated
- A new certificate reissue is required
Important:
The private key is stored in the Windows Certificate Store and linked to the machine where the CSR was created.
Missing SANs
Modern public CAs require SAN entries.
IIS CSR wizard does not natively support SANs directly in older workflows. For SAN certificates:
- Use PowerShell
- Use
certreq - Use an enterprise PKI template
- Or generate via OpenSSL
Security Recommendations
Use SHA-256
Avoid SHA-1 completely.
Recommended:
sha256Protect Private Keys
Recommended best practices:
- Restrict filesystem access
- Backup machine keys securely
- Use HSM-backed keys for high-security environments
- Rotate certificates regularly
Use Centralized Certificate Management
Large environments should avoid manual CSR handling where possible.
Centralized certificate lifecycle management platforms help with:
- Expiration monitoring
- Automated renewals
- Inventory management
- Compliance reporting
- ACME integrations
Examples include:
Conclusion
Generating a CSR on Windows Server is a foundational task for deploying SSL/TLS certificates in IIS environments. Using IIS Manager provides a simple graphical workflow, while PowerShell and certreq enable automation for enterprise-scale deployments.
For production environments:
- Use RSA 2048-bit minimum
- Prefer SHA-256
- Validate the CSR before submission
- Securely protect private keys
- Standardize certificate lifecycle processes
This procedure complements Linux-based CSR generation workflows and can be integrated into broader certificate management automation strategies.