Example: Generating a Key Pair and CSR

Previous Next

See Also

This example shows how to obtain online a test server certificate from VeriSign for Microsoft Internet Information Server 4.0.

To generate a public and private key pair and CSR for a Microsoft Internet Information Server 4.0:

1. Open the Microsoft Management Console (MMC) for IIS. On Windows NT, this can be reached by selecting Start-Programs-Windows NT 4.0 Option Pack-Microsoft Internet Information Server-Internet Service Manager.
2. In the MMC, expand the Internet Information Server folder by selecting the "+" sign.
3. After expanding this folder, select the "+" sign next to the computer name.
4. The Default Web Site should be available now, right click on the icon and choose Properties.
5. In the Default Web Site Properties, choose Directory Security.
6. In the Secure Communications area of this Property Sheet, select the Key Manager button.


If the button reads "edit" instead of "Key Manager" you already have an encryption certificate for the WWW Service installed.

7. Once you are in the Key Manager, right click the WWW icon and select "Create New Key..."
8. The Create New Key dialog appears. You will see two configuration options in this dialog. Choose "Put the request in a file that you will send to an authority." Select an appropriate filename (or accept the default). Later, you will need to copy information in this file into a form on the VeriSign web site.

9. Fill out the next dialog. Key length available will depend on the level of encryption on your version of NT Server. Normally, domestic (US and Canadian) versions of NT will have 128-bit encryption available and export versions of NT will have 40-bit. The installation of NT Service Packs may affect this as Service Packs come in both 128 and 40 bit versions.


Remember the password you enter. Without it, you will not be able to perform actions that access your private key material (for example, backing up or restoring a key).

10. Continue filling out the dialog. The "Common Name" of the certificate MUST be either the Name of the NT Server (if using WINS) or the Domain Name of the Server if on the Internet. For example, "www.example.com".


For every website that has a distinct DNS name, there must be an encryption Key installed. However, each website for SSL MUST have a distinct IP address as well. SSL does not support the use of host headers.

11. 11. Continue form completion with Country, State and Locality. Do NOT abbreviate the state name. Your request will be rejected if you do so.

12. Supply the appropriate contact information and Finish.

Key Manager will display a key icon under the WWW icon. The key will have an orange slash through it indicating it is not complete.

13. Choose the "Computers" menu and select Exit. Choose YES when asked to commit changes.


If you close Key Manager and do not commit the changes, the key will not function properly. If this occurs, delete the partial key in Key Manager and create the request again.