Create the CSR (MMC)

Last Updated : May 16, 2023 |

If the selected CA provides instructions or utilities to generate CSRs using Microsoft tools, those can be used in preference to the following steps providing the correct format and content result. Any question on format or content should be clarified with the CA.

The following step cover use of the Microsoft Management Console Certificates Snap-in to generate a CSR and process the signed identity certificate. The identity certificate will reside in the Local Machine Personal certificate store and will not active on any machine interface by default.

  1. All steps must be carefully followed to avoid errors.

  2. Further information on the snap-in and certificate operations can be found at: https://technet.microsoft.com/en-us/library/cc771157.aspx

  3. Ensure all naming information has been identified (Common name, Alternate subject names, organization details and so on).

  4. You must be logged in and run the console session as administrator.

  5. To open the Microsoft Management Console (MMC):

    1. Click Start.

    2. In the Search box, type mmc.

    3. Click mmc.exe.

  6. Click File > Add/Remove Snap-in .

  7. Click Certificates > Add > OK.

  8. Select Computer Account and click Next.

  9. Select Local Computer and click Finish then OK.

  10. Expand Certificates (Local Computer).

  11. Right-click Personal, then click Select All Tasks > Advanced Operations > Create Custom Request.

  12. Click Next.

  13. Select Proceed without enrollment policy and click Next.

  14. Select (No Template) Legacy Key.

  15. Select PKCS #10 and click Next.

  16. In the Certificate Information section, click arrow button next to Details and click Properties.

  17. On the General tab, type the domain name of the certificate in the Friendly Name field.

  18. On the Subject tab, in the Subject Name field, enter the information below, clicking Add after entering each type:

    Type

    Value

    Notes

    Country

    Country Name (2 letter code)

    The Country Name is a 2 letter code defined by https://www.iso.org/obp/ui/#home; select Country codes, and click search.

    For example, US

    State

    State or Province name

    Do not abbreviate

    Locality

    Locality name

    For example, City

    Organization

    Organization name

    For example, Company Name

    Organization Unit

    Section/Department name

    For example, IT

    Common Name

    FQDN of server

    For example, www.example.com

    Email

    Contact email address

    For example, contact@example.com

  19. Any entries not required (for example Organizational Unit Name) or not requested by the CA should not be added.

  20. If the CSR is for a multi-domain/SAN certificate, in the Alternative Name field, enter the information below, clicking Add after entering each type:

    Type

    Value

    Notes

    DNS

    DNS SAN entry

    The first Alternative Name field should be DNS with the same value as the Common Name.

    URL

    URI SAN entry

    For example: sip:example.com

    IP address (v4)

    IP SAN entry

    For example: 192.168.0.42

    IP address entries are not recommended.

  21. On the Extension tab, select Key usage.

  22. Select Non repudiation, Digital signature, Key encipherment, and Data encipherment, clicking Add after entering each option.

  23. Unselect Make these key usages critical.

  24. On the Extension tab, select Extended Key Usage.

  25. Select Server Authentication and Client Authentication, clicking Add after entering each option.

  26. Unselect Make the Extended Key Usage critical.

  27. On the Private Key tab, select Cryptographic Service Provider, select Microsoft Strong Cryptographic Provider (Encryption) only.

  28. On the Private Key tab, select Key type, select Exchange.

  29. On the Private Key tab, select Key options > Key size and set the value to 2048.

  30. Select Make Private Key Exportable. Note: This step is important.

  31. If presented, select Select Hash Algorithm, select Hash Algorithm and set the value to sha256.

  32. Review all entries; check the Key options > Key size is still set to the value to 2048.

  33. Click OK then Next.

  34. Enter the filename (for example, yourdomain) and location to save the CSR to. Ensure Base 64 is selected. Click Finish.

  35. Open the CSR file yourdomain.req in a text editor and copy all of the text, including the start and end lines.

  36. Go to the CA and follow instruction to paste the full CSR into the SSL enrollment form of the CA. If requested, the server software used to generate the CSR can be specified as Microsoft or Microsoft IIS 7. If requested, SHA-256 should be selected for the hash algorithm. Do not use SHA-1.

Related information
Creating a CSR using Microsoft MMC Certificates Snap-in