Generating a CSR
Before you can order an TLS/SSL Certificate, you must first generate a CSR (Certificate Signing Request) for your server.
A CSR is an encoded file that provides you with a standardized way to send us your public key along with some information that identifies your company and domain name.
When you generate a CSR, most server software asks for the following information:
- Common Name (i.e. www.example.com),
- Organisation Name, and Location (country, state/province, city/town),
Key type (typically RSA), and key size (2048 bit minimum).
OpenSSL is a standard command used in this process.
How do I generate a CSR for my Certificate Provider?
- Log into the server as Administrator.
- Open the Certificate Manager console
- Click Start > Search programs and files > certmgr.msc
- Open your Local Computer certificates
- Click File > Add/Remove Snap-in... > Certificates > Computer account > Next > Local computer > Finish
- Select Certificates
- (Local Computer) > Personal > Certificates.
- With the Personal Certificates for the Local Computer highlighted:
- Click Action > All Tasks > Advanced Operations > Create Custom Request. This will open the Certificate Enrollment wizard.
- In the Certificate Enrollment wizard:
- Read the Before You Begin screen and click Next.
- On the Select Enrollment Policy screen, under Custom Request, select Proceed without enrollment policy and click Next.
- On the Custom request screen
- For Template, choose "(No template) Legacy key" from the drop-down menu, and leave "Suppress default extensions" unchecked.
- For Request format, select PKCS#10.
- Click Next.
- On the Certificate Enrollment screen, click Details, then click Properties. This will open a Certificate Properties dialog box.
- On the General tab:
- Enter a Friendly name and Description for your certificate.
- On the Subject tab:
- Select Common Name from the Type menu, enter your Fully Qualified Domain Name (FQDN) for the value, and click "Add >".
- Select Organization from the Type menu, enter your organziation name for the value, and click "Add >".
- Select State from the Type menu, enter The abbrivation for the state you are in for the value, and click "Add >".
- Select Country from the Type menu, enter 2 letters for the country you are in for the value, and click "Add >".
- (Optional) Select Email from the Type menu, enter an email address for the value, and click "Add >".email.
- (Optional) Add Subject Alternative name values, if you need them.
- On the Extensions tab:
- Expand "Key usage" and add "Digital signature" to the selected options, and verify that "Make these key usages critical" is checked.
- Expand "Extended Key Usage (application policies)" and add "Server Authentication" and "Client Authentication" to the selected options, and verify that "Make the Extended Key Usage critical" is checked.
- On the Private Key tab
- Expand Cryptographic Service provider and select "Microsoft Strong Cryptographic Provider (Signature)".
- Expand Key Options and select "2048" from the Key size drop-down menu.
- If you will need to export the certificate to use on another host, select "Make private key exportable". This will be important if you have a server cluster or you will be using the new "Central Certificate Store" option available with IIS8.
- On the General tab:
- Click OK.
- On the Certificate Information screen, click Next.
- Enter a file name for your CSR (e.g. certname.req)
- Select "Base 64" as the File Format.
- Click Finish.
If the above sequence doesn't work for you, (e.g. Cryptographic Service Provider is greyed out), try the alternative methods described in the following reference articles:
Generating a Certificate Signing Request
Generating CSRs in Linux