Delivering solid user friendly software solutions since the dawn of time.

Introduction to IIS Certificates - Notes

Categories: IIS Notes

by Paul Lemmers

Ok, this must have been the most confusing 44m of my IT life. I clearly do have almost no knowledge about certificates. (edit: finally starting to understand, and yes it is very important and also a total mess selfsll, opensll, bouncycastle, certutil, pvk2pfx, makecert, ...) and I actually wonder if there are people who really know this... let alone really understand the specifications.

Alice & Bob Story - Certificate is name of Alice + Public key signed with private key if self-signed.
Object Identifier (OID)
Certificate: Subject CN = name to trust, Issuer eg. Go Daddy, Valid from, Valid to, Public Key

Exclamation mark means it is a critical extension and client should only use it when they really know how.


  • DER (binary format *.cer over network in ssl handshake)
  • Base-64 (xml, email)
  • Export with hierarchy of certificates can be included (.P7B)
  • PKCS#12 : Export user certificate with private key. (.PFX)

MMC - Certificates
To make all stores visible, select Certificates in treeview > View - Options - Check Physical certificate stores. All hidden notes of trusted root certification authorities will be visible. Certificates that are at enterprise level will come back in your store after deletion if set in the group policy.

When using a machine for signing, you should always delete the private key on export.

Distinguished Name

E = foo@bar.com
CN = foo bar
CN = foo
DC = local

Subject Alternative Name

Other Name:
       Principal Name = foo@bar.com (upn name)
RFC822 Name = Foo@Bar.com (email name)

Key Usage (8bit field flags)
Enhanced Key Usage
SSL certificate should have Server Authentication as enhanced, Digital Signature and Key Encipherment as usage. Command name should be dns.

Where are the keys stored?

CSP - Cryptical Service Providers (eg. when using a smartcard to sign, the private key will 'never' leave the smart card) In the properties (all tasks - manage private keys) you can set which computer accounts should have access to the certificates.

certutil (eg. when using windows 2003)
certutil -dump -v abc.cer
certutil -url abc.cer
certutil -store My
  • Windows - dir ProgramData /As - Microsoft - Crypt - RSA - MachineKeys
  • Firefox - Tools - Options - Encryption - View Certificates
  • Microsoft Active Directory Certificate Services - psResCA

IIS - Machine Name - Server Certificates
Create Domain Certificate (testing)
Create Certificate Request (from external)
Complete Certificate Request

Self-Signed Certificates
if key usage and enhanced key usage is not filled in you can use the certificate for anything
if you install a self-signed certificate of someone else in your trusted root store then they can do remote to your machine!

Certificate Revocation

Certificate - Details - CRL Distribution Point -> url -> Certificate Revocation List -> Serial number by date and reason. (eg. http://crl.godaddy.com/gds3-4.crl)

Authority Information Access (eg. http://ocsp.godaddy.com) will just return valid or not for this certificate instead of complete list of revoked certificates.

Certificate Chain building
Root Certificate then Issuer = Subject

When you create a CA you are changing the burden of proof (certificate policies)
Usage of certificates has legal consequences.