0

We need to provide a secure SSL on our intranet website. Could anyone please help me query below:

  1. Is it possible to get Internal CA signed cert without a CSR?
  2. If above is Yes, how do it generate a Internal CA signed Cert without a CSR.

What am I trying to achieve?

We don't have Production IIS setup. And production IIS will only be setup during the change window. During this change window no resource available to generate CA signed Cert. for a given CSR. Hence, we are trying to create CA signed certs before hand without having to setup the Prod IIS.

Nil Pun
  • 17,035
  • 39
  • 172
  • 294
  • Technically, yes, it's possible (see [this answer](http://stackoverflow.com/a/9344013/372643)), but that's likely to make the procedure more complicated. What are you trying to achieve? – Bruno Mar 01 '12 at 12:38
  • Not sure what the issue is here. Is the problem because you're expecting IIS to generate your CSR for you? Are you aware there are other ways to generate CSRs? – Bruno Mar 01 '12 at 21:56
  • Yes problem is we don't have IIS website setup for Production. What are the other ways to create CSR? – Nil Pun Mar 02 '12 at 10:53

2 Answers2

2

The Certificate Signing Request (CSR) is a tool for including a third party in the certificate creation process without divulging your private key. Its essentially a packet of encoded information (including the public key) which can be sent to the third party for signing. The third party receives the CSR, signs it with their intermediate or root certificate, and send back the certificate to you. Your new and shiny certificate file is now a keypair with your private key file. Even better, the third party never had access to your private key through the entire process.

Now to answer your question, yes it is possible. There is no requirement that a third party be involved. Its more a question of how to accomplish this with the cryptographic library of your choice. Check out my post here for a way to get OpenSSL running on windows without admin privileges.

Create a new key and certificate

openssl req -newkey rsa:2048 -nodes -keyout [filepath to key] -x509 -out [filepath to cert]

Create a certificate from an existing key

openssl req -key [filepath to key] -x509 -out [filepath to cert]

Rex Linder
  • 631
  • 6
  • 16
0

You should be able to use OpenSSL to create a CSR independently of IIS (see its req command).

Bruno
  • 119,590
  • 31
  • 270
  • 376