The Certificate Enrollment Policy Web Service is installed as an application in Microsoft Internet Information Services (IIS). Microsoft IIS requires a TLS certificate so that the Certificate Enrollment Policy Web Service can accept WSTEP enrollment requests over HTTPS.
The following procedure describes how to to create a certificate signing request (CSR) in Microsoft IIS for a certificate. A CSR contains information that the issuing CA will use to create the certificate. Entrust PKI as a Service or an on-premises CA can process the CSR and issue the certificate.
To create a CSR for Microsoft IIS
Open the Internet Information Services (IIS) Manager. Select Start > Windows Administrative Applications > Internet Information Services (IIS) Manager.
The Internet Information Services (IIS) Manager dialog box appears.
Under Connections, select the host name of the server.
- In the Home pane, double-click Server Certificates.
- In the Actions pane, click Create Certificate Request.
The Request Certificate wizard appears. - The Distinguished Name Properties page appears.
- In the provided fields, enter information that will be included in the CSR. Note that the issuing CA (either a CA in Entrust PKI as a Service, or an on-premises Entrust CA) will ignore this information.
- Click Next.
- The Cryptographic Service Provider Properties page appears.
From the Cryptographic service provider drop-down list, select a cryptographic service provider. It is recommended that you select Microsoft RSA SChannel Cryptographic Provider.
- In the Bit length list, select a bit length. It is recommended that you select 2048 as the bit length.
- Click Next to continue.
The File Name page appears.
In the text field, enter a path and file name for the file that will contain the Web server certificate request.
Click Finish.
- The CSR is saved in the file you specified in the previous step.