Every time I have to rotate an SSL certificate on my web site I end-up spending a few hours going through proper steps to generate necessary files and convert them between formats. Since I only do so once a year I never bothered documenting the process. Now, for my own sake, I will publish this post to help folks who have similar needs.

My web service is deployed to IIS which consumes certificates in PFX format. However, my certification authority issues certificates in CRT format. Natural question is how to get one converted into another? We will be using OpenSSL for that. I prefer Windows Open SSL port just because most of my ecosystem is Windows.

Quick Segway into nomenclature:

  • CA means Certification Authority. This is the organization that will issue the certificate.
  • CSR stands for Certificate Signing Request and this is the payload you submit to CA to obtain a certificate.
  • KEY is a private key that comes paired with your CSR and will be included into final PFX file.
  • PFX is a final certificate that gets uploaded to IIS.

It is absolutely critical that you do not lose or discard your CSR or KEY files after generation because you will need them to create final certificate

First thing we need to do to create SSL certificate is generate CSR and KEY files. For that we need to configure OpenSSL distinguished name property. That would be the only certificate property we need to define. Create an empty openssl.cnf file next to openssl.exe and type the following content, changing things as you go to fit your needs:

[ req ]
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = My State

localityName = Locality Name (eg, city)
localityName_default = My City

organizationName = Organization Name (eg, company)
organizationName_default = My Organization

organizationalUnitName = Organizational Unit Name (eg, section)

commonName = Common Name (eg, your website’s domain name)
commonName_max = 64

emailAddress = Email Address
emailAddress_max = 40

Now we are ready to generate necessary files for CA

openssl req -newkey rsa:2048 -keyout mywebsite.com.key -config openssl.cnf -out mywebsite.com.csr

Make sure you end-up with two files. If you don't have them then something went wrong and requires investigation. We need to make sure that CSR file contains exactly what we expect. There is a command for that.

openssl req -text -noout -verify -in mywebsite.com.csr

In the output of the tool look at Subject property and pay special attention to CN attribute. It must match your website domain name. You will submit your CSR to CA and wait for certificate to be issued.

Typically CA returns certificate in 2 parts:

  • *.CRT contains the certificate itself
  • *.P7B has certification chain that establishes trust for your CA.

We do not need P7B file as in most cases IIS can verify chain trust with publicly installed CA certificates. As such this file will be discarded. We will only use CRT file.

openssl pkcs12 -export -out mysebsite.com.pfx -inkey mywebsite.com.key -in certificate.crt

Resulting PFX file can be uploaded to IIS server.