Creating a Certificate Signing Request using Windows 10

Creating Certificate Signing Requests or CSR’s can be a daunting task, you don’t want to get it wrong as it can costs you, literally. Usually many administrators head over to IIS and create a request using the IIS management console. This will of course work but you may end up creating a SHA1 request, with no option for SHA2

I have however noticed Windows 10 being able to create CSR’s with all the latest cryptography and key lengths, as well as it being a breeze to process.

To get started you need to open the Certificate management console. Hit “Windows Key” + “R” and type “MMC” into the run window, now hit enter. Alternatively if you click “Start” and search for “Certificates” and click on “Manage Computer Certificates”

 

Once the certificate console has opened, expand the personal store and right click on Certificates. Click All Tasks > Advanced Operations > Create Custom Request.

 

In the window click Next

Now click Next

 

Choose Proceed without enrollment policy and click Next

 

Click Properties

 

Now enter a Friendly Name (this can be anything, but something that you can use t easily identify the certificate) and enter a description.

Click the Subject tab

Important!!!

If you fail to enter the basic information like the image on the left, your certificate request will be invalid. You must enter:

Common Name – (this is the URL)

Organisational Unit – Department

Locality – Area e.g. Westminster

State – Area e.g. London

Country – this must be the two letter abbreviation for the United Kingdom use GB

To find your 2 letter country code click here

Finally enter the Alternative name DNS. This should be exactly the same as your URL.

 

Under the Extensions tab, select Server Authentication and Client Authentication for Extended Key Usage.

 

Under Key Usage select Digital signature and Key enciphement

 

Click the Private Key tab, select 2048 for Key Options and check Make private key exportable

Under Hash Algorithm select SHA256

Click OK and Next

Save your file as a .req

Validate your CSR

That’s pretty much it. You can verify that your request file is valid by opening it, copying the data and pasting it into the Symantec Crypto Report validation site click here .

Once you receive your certificate file it MUST be imported onto the computer where the CSR file was created as the private key exists on this machine and is never transmitted within the CSR. You can then export the certificate to any machine as it’s private key was marked as exportable.