Random Notes‎ > ‎

Generating Certificate Requests (CSRs) on Windows

posted Apr 9, 2016, 10:39 PM by William Shallum   [ updated Apr 9, 2016, 10:41 PM ]
I use Windows. If I want to generate a CSR using OpenSSL it is easy and there are lots of guides on the Internet you can copy commands from. In fact I have done it multiple times and can probably do it from memory. But what if I want to generate a CSR using the Windows GUI tools?

Windows has decent support for using a "Certificate Enrollment Policy Server", but as this is going to be used by me to authenticate to my (Linux) VPS, that is not an option here.

  • Run certmgr.msc
  • Right click on the Personal > Certificates folder, select All Tasks > Advanced Operations > Create Custom Request...
  • When prompted for a Certificate Enrollment Policy, select "Proceed without enrollment policy"
  • Select "No Template (CNG Key)" for key and PKCS#10 for the request format.
  • Click on the Details button then Properties to customize the requested certificate attributes like Common Name, Key Usage, Key Size, etc.
    • When specifying subject DN, the top entry in the list box is actually the last (most specific) DN element which is usually the Common Name. This also goes for the "Full DN" text box where the most specific part is specified first.
    • Remember when used for client authentication to strongSwan, always specify a DNS subjectAltName that matches the CN since that is required by the EAP-TLS validator in strongSwan.
  • Click next and save the request somewhere.