Creating a Certificate Signing Request using Windows 10
Creating a Certificate Signing Request using Windows 10
Creating Certificate Signing Requests or CSR’s can be a daunting task, you don’t want to get it wrong as it can costs you, literally. Usually many administrators head over to IIS and create a request using the IIS management console. This will of course work but you may end up creating a SHA1 request, with no option for SHA2
I have however noticed Windows 10 being able to create CSR’s with all the latest cryptography and key lengths, as well as it being a breeze to process.
To get started you need to open the Certificate management console. Hit “Windows Key” + “R” and type “MMC” into the run window, now hit enter. Alternatively if you click “Start” and search for “Certificates” and click on “Manage Computer Certificates”
Once the certificate console has opened, expand the personal store and right click on Certificates. Click All Tasks > Advanced Operations > Create Custom Request.
In the window click Next
Now click Next
Choose Proceed without enrollment policy and click Next
Click Properties
Now enter a Friendly Name (this can be anything, but something that you can use t easily identify the certificate) and enter a description.
Click the Subject tab
Important!!!
If you fail to enter the basic information like the image on the left, your certificate request will be invalid. You must enter:
Common Name – (this is the URL)
Organisational Unit – Department
Locality – Area e.g. Westminster
State – Area e.g. London
Country – this must be the two letter abbreviation for the United Kingdom use GB
To find your 2 letter country code click here
Finally enter the Alternative name DNS. This should be exactly the same as your URL.
Under the Extensions tab, select Server Authentication and Client Authentication for Extended Key Usage.
Under Key Usage select Digital signature and Key enciphement
Click the Private Key tab, select 2048 for Key Options and check Make private key exportable
Under Hash Algorithm select SHA256
Click OK and Next
Save your file as a .req
Validate your CSR
That’s pretty much it. You can verify that your request file is valid by opening it, copying the data and pasting it into the Symantec Crypto Report validation site click here .
Once you receive your certificate file it MUST be imported onto the computer where the CSR file was created as the private key exists on this machine and is never transmitted within the CSR. You can then export the certificate to any machine as it’s private key was marked as exportable.
Kam is a Azure and Microsoft Modern Desktop Certified Administrator and Udemy Intructor. He is a solution architect and served clients ranging from educational, private and government establishments in the UK. Kam has worked within the IT industry for the last 7 years building his experience over a variety of products such as DirectAccess, Always On VPN, SCCM, Hyper-V and now focusing on Azure and Modern Desktop/Mobile Device Management.