We will be generating the Certificate Signing Request (CSR) through the Microsoft Management Console (MMC) instead of directly from IIS to avoid exporting the private key. Please follow each step closely, a mistake may require you to start over.
In the search engine on the Windows toolbar, type “mmc” and launch the program.
A window titled “Console” will open. In this window’s toolbar, select File, then select the option Add/Remove Snap in….
On the Available snap-ins list, select Certificates, click Add, then OK.
This will prompt you with another window to select where your snap-in will always manage certificates. Select Computer account then Next.
Select Local computer, then Finish
Back in the Snap-ins window, check for “Certificates” under “Console Root” in the “selected snap-ins” list on the right. If it is there, click OK.
Click on Certificates found under the “Console Root” Folder on the left panel. Right Click on the Personal folder and navigate to: All Tasks > Advanced Operations > Create Custom Request….
The Certificate Enrollment wizard should appear. Click Next proceeding past the “Select Certificate Enrollment Policy” and “Custom Request” options without making changes.
Stop at the “Certificate information” section.
Click on the Details Carrot, then Properties
In the “General” tab create a Friendly Name and a description. Their purpose is making it easier to managed your certificates. It has no effect on the functionality of the CSR or SSL, so add what will help you the most. Here is a suggestion: domainname-certificateauthority-expirationdate. When done, click Apply.
Select the “Subject” tab. Now you will need to select and add a value for each of the following attributes (Type:), then click Add after each one:
- Common Name – The domain your SSL is for.
- Email – Your email address.
- Organization – The name of your business.
- Organization Unit – Your team type. Such as IT, Marketing, Social
- Locality – Your city.
- State – The state where your business resides.
- Country – The primary country your business operates in.
- If you own a single domain SSL certificate like our No-IP Vital Encrypt certificate, Rapid, or Geotrust SSLs, and you need SSL coverage on both the root domain (yourdomain.com) and www.yourdomain.com you will need to select “DNS” in the Alternative name section and add both yourdomain.com and www.yourdomain.com as a separate DNS value.
- If you own a Wildcard certificate. For the SSL to cover your root domain along with its sub-domains, you will follow the same steps, except you will only enter your root domain as an Alternative name. (Your common name on the subject tab should be *.yourdomain.com)
In the Private Key tab, select 2048 in the “Key Size” dropdown. Select the option Make private key exportable. Now select sha256 in the “Select Hash Algorithm” dropdown. Click Apply then OK.
You will be taken back to the “Certificate Information” window. Click Next and you will be asked where to save your CSR on your computer. Click Browse and choose somewhere easy to navigate to save it.
Navigate to where you stored your CSR and open the file in notepad. Copy all of –Begin New Certificate Request– down to –End New Certificate Request–.
Paste the entire CSR text you copied in your No-IP.com account on the SSL Certificates page and click Decode.
Finally, complete the SSL Contact Information form and click Confirm.
If No-IP manages your DNS, you only need to wait for your SSL Certificate to get verified. If your DNS is managed elsewhere, you’ll need to add a TXT record to validate your domain. Typically, this takes under an hour but can take upwards of 24 hours to complete. Once verified, you can receive your certificate from the SSL Certificates page in your No-IP.com account using the Certificates Actions dropdown and Download option to the right of your SSL certificate.
Once it’s downloaded, the SSL is ready for installation on your server.