I am looking into our current website certificate-management process and am looking for steps that may be unnecessary and can be simplified. The current process was created by our sysadmin who now left, and I am confused about step 1 below.
Context: I am hosting a webapp (windows VM with IIS webserver) on a (sub)domain that belongs to a customer (on the customer's domain), so I have no control over their DNS settings or certificate-management.
Because we do want to support HTTPS for this customer we have the following process in order to create a SSL certificate to bind in IIS to our webapp.
- In IIS we create a CSR (cert request) using the subdomain name (of the customer's domain) and customer organisation details.
- We send the CSR to the customer, they sign it with their CA of choice and send the .cert back to us.
- We 'complete' the CSR in IIS and there comes the cert in IIS. We can then export this cert to have it as a .PFX (with private key and password) and bind it to our IIS webapp. (the customer uses a DNS Record to point their subdomain to our IIS webserver)
My question is: What could the reason be that we (the previous sysadmin) would create the CSR etc, instead of just letting the customer create the certificate fully on their side, and when it's created, just send it to use for installation on the webserver.
Why this 2-phase approach that involves lots of waiting and customer-inaction in the process?
What are the drawbacks to letting the customer fully create and manage their certificate, so the only thing we have to do is just import their certificate and bind it in IIS to our webapp.