How to request custom certificates using the MMC snapin

A common misunderstand is that creating a certificate signing request (CSR) requires an Internet Information Service (IIS), an Exchange Admin Center console. On any Windows computer, you can use the Certificates MMC snap-in to create custom certificate signing requests, like SAN certificates for web server (for server authentication).

First open the Certificates MMC snap-in:

  1. Log on to any Windows computer, with an account that is a member of the local Administrators group.
  2. Click Start.
  3. In the Search programs and files box, type mmc.exe, and press ENTER.
  4. On the File menu, click Add/Remove Snap-in or use the shortcut Ctrl+M.
  5. In the list of available snap-ins, click Certificates, and then click Add.
  6. Click Computer account, and click Next.
  7. Click Local computer, and click Finish.
  8. Click OK.
  9. In the console tree, double-click Certificates (Local Computer), and then double-click Personal.

After you have added the Certificates snap-in for your local computer store, you can create a custom certificate request :

Right-click Personal, point to All Tasks, select Advanced Operations and click Create Custom Request

clip_image001

The Certificate Enrollment wizard now start.

On Before You Begin page click Next

clip_image002

On the Select Certificate Enrollment Policy select Custom Request (Proceed without enrollment policy) and click Next.

clip_image003

On Custom Request page under the Template options select (No template) Legacy key and select the PKCS #10 request format option:

clip_image004

NOTE:
A range of systems and services does not support CNG based certificates, but require certificates to be based on a legacy CSP.

Examples:

ADFS:
clip_image005

TMG:
Forefront TMG does not support the use of certificates created using CNG (Certificate New Generation) based templates for Web listeners or as client certificate authentication in Web publishing or Web chaining rules.

Microsoft Support statement on Forefront Threat Management Gateway (TMG):
https://technet.microsoft.com/en-us/library/ee796231.aspx#dfg9o9i8uuy6tre

 

On Certificate Information click Details and click Properties :

SNAGHTML4d09d60

Enter the Friendly name for the certificate and select the Subject tab

SNAGHTML4d110db

On Subject tab add the relevant Subject names and Alternative names for the certificate.

Most Public CAs require additional information in certificate request, including Country, Locality, Organization, Organization Unit and State:

Standard SAN certificate:
SNAGHTML4d183d8

UM Certificate:
SNAGHTML7f645d_thumb.png

 

 

 

 

 

 

 

 

 

 

 

 

Wildcard certificate:
SNAGHTML4d247a5

On the Extensions tab:

Select Key Usage and add Data encipherment, Digital signature, Key encipherment

Select Extended Key Usage (application policies) and add Server Authentication and Client Authentication

clip_image011
clip_image012

On Private Key tab:

Select Key options and set Key size to 2048 (or higher) and enable the Make private key exportable option.

Select Key type and set to Exchange

clip_image013

NOTE
If you at this point switch to another tab, without first pressing Apply, the Key size value will be reverted to the default (1024) !

Click OK to go back to wizard page and click Next:

clip_image014

Enter the full path to save the request file and ensure that File format is set to Base 64, and click Finish.

clip_image015

After finishing the wizard, you will have a certificate signing request (CSR) in BASE 64 format which you can forward to an external or internal certificate authority for signing. Note that the private key is not included in the CSR, and there is no risk of compromising the private key while transporting the request to an external certificate authority.

After processing your request, CA will issue certificate which you can import to computer local store and you will have a valid SAN certificate with an associated private key, ready for deployment on your web site or service.

 

Leave a Reply