How to Generate a CSR Code with IIS
To activate an SSL certificate, you first need to generate a Certificate Signing Request (CSR) on the server where your website is hosted. The CSR is an encrypted text block containing your domain name, organization details, and your server's public key. The certificate authority uses this to issue an SSL certificate tied specifically to your domain. This guide walks through CSR generation in Internet Information Services (IIS) on Windows Server. The process is similar across all major IIS versions.
⚠️ The CSR must be generated on the same server where your website is hosted. A CSR created on a different server will cause a private key mismatch when you attempt to install the certificate.
Quick Steps: Generate a CSR in IIS
- Open IIS Manager
Search for "IIS" or "inetmgr" and open Internet Information Services (IIS) Manager. - Server Certificates
Click the server name in the left panel, then double-click "Server Certificates." - Create Certificate Request
In the Actions panel on the right, click "Create Certificate Request..." - Distinguished Name Properties
Enter your domain, company, city, state, and country. No special characters. - Cryptographic Provider
Leave the provider as default (Microsoft RSA SChannel). Set Bit length to 2048 or higher. - Save the CSR file
Browse to a save location (Desktop recommended), enter a clear Friendly Name, and click Finish. - View your CSR
Open the saved .txt file with Notepad and copy the full code including BEGIN and END lines. - Verify the CSR
Use a CSR decoder tool to confirm the details before submitting.
Step 1 — Open IIS Manager
Click the Windows Start button or Search bar, type "IIS" or "inetmgr", and click Internet Information Services (IIS) Manager from the results.
Step 2 — Open Server Certificates
In IIS Manager, click your server name in the left panel. On the main panel, double-click the "Server Certificates" icon.
Step 3 — Create a New Certificate Request
In the Actions panel on the right side of the screen, click "Create Certificate Request..." to launch the CSR wizard.
Step 4 — Enter Your Distinguished Name Properties
A window titled "Distinguished Name Properties" will appear. Fill in each field carefully:
| Field | Example | Notes |
|---|---|---|
| Common Name (CN) | example.com | Exact domain — use *.example.com for Wildcard SSL |
| Organization (O) | Acme Inc. | Legal company or organization name |
| Org. Unit (OU) | IT | Department (e.g., IT, Web, Marketing) |
| City / Locality (L) | New York | Full city name — no abbreviations |
| State / Province (S) | New York | Full state or province name |
| Country (C) | US | Two-letter ISO country code |
⚠️ Do not use special characters (accents, commas, apostrophes, or quotes) in any of these fields. They will cause the CSR to be rejected by the certificate authority.
Once all fields are filled in, click "Next" to continue.
Step 5 — Set the Cryptographic Provider and Bit Length
Leave the Cryptographic service provider set to its default: Microsoft RSA SChannel Cryptographic Provider. Do not change this setting.
For Bit length, the default may show 1024. Change it to 2048 or higher — this is the minimum key size accepted by modern certificate authorities. 4096-bit keys offer stronger security at the cost of slightly higher processing overhead. Then click "Next."
💡 For most use cases, 2048-bit is the standard. Choose 4096-bit only if your certificate authority or security policy specifically requires it — some older server environments may have compatibility limitations with 4096-bit keys.
Step 6 — Choose a Save Location and Set a Friendly Name
Click the "..." (browse) button to choose where to save your CSR file. Saving to the Desktop is recommended for easy access.
💡 Expert Tip: In the Friendly Name field, enter your domain name followed by the current year — for example, example.com-2026. This label stays on the server and makes it easy to match the correct private key when you import the issued certificate later using "Complete Certificate Request." A blank or generic Friendly Name is one of the most common causes of certificate import failures in IIS.
Once you have entered the Friendly Name and selected a file path, click "Finish" to generate the CSR.
Step 7 — View and Copy Your CSR Code
Navigate to the location you chose and open the .txt file with Notepad. Your CSR code will look like this:
-----BEGIN CERTIFICATE REQUEST-----
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYT...
-----END CERTIFICATE REQUEST-----
⚠️ Copy the entire block — including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines. When pasting into the Domain Name API panel or any certificate authority portal, make sure both the opening and closing lines are included. Submitting an incomplete CSR will cause SSL activation to fail immediately.
Step 8 — Verify Your CSR
Before submitting your CSR for SSL activation, verify it is correctly formatted using any standard CSR decoder tool. Confirm that the domain name, organization, and country match what you entered. If any field is incorrect, generate a new CSR from the same server — there is no limit on how many you can create.
✅ Your CSR is ready. Copy the full code (including the dashes) and submit it when activating your SSL certificate through Domain Name API.
Common Mistakes to Avoid
| Mistake | What Goes Wrong | Fix |
|---|---|---|
| Special characters in DN fields | CSR rejected by the certificate authority | Use only standard ASCII characters in all Distinguished Name fields |
| Bit length left at 1024 | Modern CAs reject keys below 2048 bits | Change to 2048 or 4096 before clicking Next |
| CSR generated on wrong server | Private key mismatch during certificate installation | Always generate on the server hosting the website |
| Friendly Name left blank | Certificate import fails or wrong key is matched in IIS | Use a descriptive name such as example.com-2026 |
| Incomplete CSR copied | Activation fails — CA cannot parse an incomplete request | Include full BEGIN and END lines when copying |
Verification Checklist
- CSR file saved to an accessible location
- Friendly Name entered as domain-year (e.g., example.com-2026)
- Full CSR code copied — including BEGIN and END lines
- CSR decoded and verified — domain, organization, and country are correct
- Bit length confirmed at 2048 or higher
- No special characters used in any DN field
Best Practices
- Use 2048-bit or 4096-bit key length — 1024-bit is no longer accepted by any major CA
- Always set a clear, descriptive Friendly Name (domain-year format recommended)
- Save the CSR file and note where the private key is stored — you will need it during certificate installation
- Use the exact domain name in the Common Name field — no trailing slashes or protocols
- For Wildcard certificates, enter *.example.com in the Common Name
- Verify the CSR with a decoder before submitting — this catches errors before wasting an activation
What to Do Next
Once your CSR is ready:
- Submit the CSR during SSL activation through your Domain Name API account.
- After the certificate is issued, install it in IIS using "Complete Certificate Request" under Server Certificates. The Friendly Name you set will help match the correct private key. Full guide: https://www.domainnameapi.com/knowledge-base/how-to-install-ssl-certificate-on-iis
- Verify the installation by checking the padlock in your browser and running an SSL checker tool.
Frequently Asked Questions
What is a CSR?
A CSR (Certificate Signing Request) is an encrypted block of text generated on your server. It contains your domain name, organization details, and your server's public key. The certificate authority uses it to issue an SSL certificate specific to your domain and server.
Why must the CSR be generated on the same server as the website?
CSR generation produces two keys: a public key (included in the CSR) and a private key (stored on the server). These must be paired. If the CSR is generated on a different server, the private key will not be present during installation and the process will fail.
What is a Friendly Name and why does it matter?
The Friendly Name is a label assigned to the CSR and later to the certificate in IIS. It is not sent to the certificate authority — it exists only on your server. When you complete the certificate installation using "Complete Certificate Request," IIS uses the Friendly Name to locate and match the correct private key. A blank or unclear Friendly Name is a common cause of certificate import failures.
What bit length should I use for a CSR?
2048-bit is the current industry standard and is accepted by all major certificate authorities. 4096-bit offers stronger cryptographic security but is generally only required for high-security environments or specific CA policies. 1024-bit is no longer accepted. For most deployments, 2048-bit is the right choice.
What happens if I lose my private key?
If the private key is deleted or lost before the certificate is installed, the certificate cannot be used on that server. You would need to generate a new CSR (which creates a new private key) and request a certificate reissue from the certificate authority. This is why it is critical not to delete any IIS certificate records or CSR files until the full installation is confirmed working.
Can I generate multiple CSRs?
Yes. There is no limit on how many CSRs you can generate. If a CSR contains an error or you need to change the domain details, simply generate a new one from IIS Manager. Each new CSR creates a new private key on the server.
What is the difference between a CSR and an SSL certificate?
A CSR is a request you send to the certificate authority — it contains your domain information and public key, and asks the CA to issue an SSL certificate. The SSL certificate is what the CA sends back after verifying the request. You cannot install a CSR on a server; only the issued certificate can be installed.
How do I enter the Common Name for a Wildcard SSL certificate?
For a Wildcard SSL, enter *.example.com as the Common Name. This covers the root domain and all first-level subdomains, such as www, mail, and shop.
Can I reuse a CSR when renewing an SSL certificate?
Technically possible in some cases, but not recommended. Generating a fresh CSR for each renewal creates a new private key, which is the security best practice recommended by all major certificate authorities. Reusing an old private key means that if the old key was ever compromised, the renewed certificate is also at risk. Always generate a new CSR for renewals.
What should I do if my CSR is rejected?
The most common causes of CSR rejection are: special characters in the Distinguished Name fields, an incorrect domain name in the Common Name field, or a key length below 2048 bits. Review the error message from the CA, correct the relevant field, and generate a new CSR on the same server.
Which IIS versions does this guide cover?
The process described in this guide is applicable across all major IIS versions on Windows Server, including IIS 7.x, 8.x, 8.5, and 10. The Server Certificates and Create Certificate Request interface is consistent across these versions. Older versions (IIS 5.x and 6.x) follow a similar flow but may have minor UI differences.
Conclusion
CSR generation in IIS can usually be completed in a few minutes. Open IIS Manager, go to Server Certificates, create a new certificate request, fill in your domain details, set the bit length to 2048 or higher, enter a descriptive Friendly Name, save the file, and verify the output with a CSR decoder before submitting.
Two things to remember: always generate the CSR on the server hosting your website, and always set a meaningful Friendly Name — both steps prevent the most common installation failures.
✅ Once your CSR is ready, verify the details with a CSR decoder before submitting for SSL activation.
