How to generate CSR from mmc

This post will go over all the steps require to create or generate a CSR. CSR is Certificate Signing Request. CSR is actually a text file (encoded text file) which is used in the process of creating a Certificate, e.g, SSL Certificate (SSL is now phased out and the current standard used is TLS. However we continue to use the term SSL as it is more commonly used term) or a Digital Certificate. This encoded text file contains the information about the server, device or domain for which you need a Digital Certificate. One generates a CSR locally and sends the request as a file to a Certificate Authority (CA). The Certificate Authority upon receiving the Certificate Signing Request (CSR) confirms the identity of the applicant and upon confirmation signs the CSR, and generates a Certificate (SSL Certificate or a Digital Certificate) for the identity of the entity, Non Person Entity or a Person Entity. This Certificate can now be trusted by a third party since it was signed by a trusted CA.

Why does one require a CSR?
A CSR is required whenever you need a PKI Certificate for a device, server or user. For example, an SSL Certificate for a device, such as a Web server may be used to identify the hostname/domain of a server or device. See below SSL Certificate for www.amazon.com website. You can see the lock symbol on the upper left side- which denotes that the site is secured by SSL and the Certificate issued by Digicert Global CA (Certificate Authority) validates that the web server hosting this amazon site is indeed Amazon.com. In other words, the issuing CA has certified that it has issued the SSL certificate to Amazon to install this Certificate on its web server, hence you are assured of the authenticity of the website that claims to be www.amazon.com.


In summary, the purpose of creating a CSR is to finally create a new Digital Certificate or SSL Certificate. Creation of CSR is the first step in creating a Digitial Certificate. The second step is to send the CSR to a Trusted Certification Authority (CA), who in turn will consume this CSR and send the signed Digital Certificate back to the requester. The final step is for the requester to take this Certificate and install on their device, or server.

How to generate a CSR?
Now in order to get this SSL Certificate, one has to send a formal request to the Certificate Authority. In this case, for example, Amazon IT department folks would have sent a request for issuing a Certificate for their www.amazon.com website. This request is sent in the form of a CSR, i.e. Certificate Signing Request. Upon receiving this CSR request, the Certificate Authority (CA) has to make sure that the request for amazon.com web server indeed came from Amazon's IT department. Once the CA, as in the above example, DigiCert Global CA, has verified the authenticity of the request, it will go ahead and sign the certificate and send it over to the requesting entity via a secure channel. The IT folks upon receiving the Certificate will install it on their web server. Note, your end device or server, e.g. Microsoft IIS Server, Apache server, Windows Domain Controller, Load Balancer, etc, will provide you documentation as to how to install this certificate.
The Certificate installed on the web server will serve following purposes

1. Ensures the identity of a remote computer
2. Proves your identity to a remote computer
3. Since it is a SSL Certificate it will be used to encrypt the data being transmitted across the web server to the client's browser

Steps to generate a CSR
In the steps below, we will use the MMC Certificate snap-in to create a CSR in Base 64 file format. MMC is Microsoft Management Console utility with various Snap-in tools - we are using the Certificate snap-in here. The Base 64 file format is typically identity by the BEGIN CERTIFICATE and END CERTIFICATE lines.


Complete the following steps to create your CSR.
1. Click Start > Run.

2. Enter MMC and click OK. (You need to start mmc with Admin rights, else you may not get all the options in the below steps)
This will open the Microsoft MMC console

3. Below the MMC is now open. Go to File > Add/Remove Snap-in.

4. Click Certificates, and select Add. 

5. Select Computer Account, and click Next.

6. Select Local Computer and click Finish

7. Click OK to close the Snap-ins window. The Certificates snap-in will now be added to the right-hand pane.

8. Double-click Certificates (local computer) to expand its view.

9. Expand the Personal folder in the Certificates. Right-click then All Tasks, select Advanced Operations and Create Custom Request.

10. Click next on the Certificate Enrollment wizard


11. Select the option Proceed without enrollment policy then click Next to continue.

12. On Template option, select (No Template) Legacy Key and PKCS #10 on Request format option. Click next.

13. Expand Details section by clicking on the arrow pointing down and then click on Properties button.


14. On General tab, type in Friendly Name for your SSL certificate and Description (optional). Click on Subject tab to continue for the next entries.


15. On Subject tab, select Common Name on drop down list under Type option for your Fully Qualified Domain Name (FQDN). Type your domain name on value field under the Common Name Option then Click Add button. The CN field will show on the information box on the right hand side of Add button.
 


16. Continue with the same step above for the rest of the fields:
Type
Prefix
Description
Example
Common name
cn
Domain to be secured by certificate
testcertificate.entrust.com
Organization
o
Organization’s legal business name
Entrust Inc.
Organizational Unit
ou
Department in the organization
IT
Locality
l
Business location - city
Ottawa
State
st
Business location – state/province
Ontario
Country
c
Business location - country
CA
SAN - Subject Alternative Names  (check if your entity certificate requires a Subject Alternative Name. If it does not require a SAN then skip this step.)
If the Subject Alternative Names (SAN) are required on the certificate, select DNS on the drop down list from the Type option under Alternative name section. Type the domain name on the value field and then click Add button. Repeat the step until all the SAN completely added. Typically there will be multiple entries for SAN entries (as shown below).

Click Private Key tab to continue.

17. Click down arrow button on Cryptographic Service Provider section to expand the list of all CSPs. Make sure only Microsoft RSA SChannel cyptographic Provider (Encryption) is checked on this section.

18. Expand Key Options section by clicking the down arrow button on the side, the minimum keysize must be 2048 bytes and check the box for Make Private Key Exportable.
Note: After you select Key Type or Key Option, you may have to go back and again select the Microsoft RSA Channel Cryptographic Provider checkbox. Repeat the step if required.

19. Expand Key Type section by click on down arrow button on the side, select Exchange option on Key Type section. Click Apply, OK button and then Next button to continue.
 
Make sure to select Key size as 2048 and check the box for "Make Private key exportable".

     

 

20. Click on Browse button to select the location where the certificate signing request (CSR) will be saved. Type the file name and make sure the Base 64 is selected. Click Finish button. All steps are completed now and your CSR has been generated. This CSR file can now be sent to your trusted CA who will in turn send you a Digital Certificate.
 

21. Here is the sample of the CSR opened and viewed with Notepad. 

Above shows a CSR in Base 64 file format when opened in notepad. The CSR request can be seen with beginning lines BEGIN NEW CERTIFICATE REQUEST and ends with END NEW CERTIFICATE REQUEST

The final step is to send the CSR as generated above to your trusted Certificate Authority who will sign this CSR and send you a Certificate which you can use to establish identity of your entity. After this you will receive the Certificate for the device and you can install on your device.

Some examples of CSR are when you need a SSL Certificate for your web server. The web server will require a Certificate signed by a trusted CA. For example, see below a Certificate on the amazon website's web server. This Certificate tells us following things. (1) It was issued to www.amazon.com (2) It was issued by a Certificate Authority called as DigiCert Global CA G2. (3) If you check the Certification Path tab, it will show that the root CA is DigiCert Global Root G2.

 
Any computer that connects to www.amazon.com website via SSL, will be provided the identity of the web server (as asserted in the above Certificate), which can be trusted if the remote computer trusts the DigiCert Global CA. 


Note on pfx file
Windows servers use .pfx files that contain the public key file (SSL certificate file) and the associated private key file. DigiCert provides your SSL certificate file (public key file). You use your server to generate the associated private key file as part of the CSR.
You need both the public and private keys for an SSL certificate to function. So, if you need to transfer your SSL certificates from one server to another, you need to export is as a .pfx file.

Export Prerequisite

To create a .pfx file, the SSL certificate and its corresponding private key must be on the same computer/workstation. You may need to import the certificate to the computer that has the associated private key stored on it. (e.g., the laptop/desktop computer where you created the CSR) before you can successfully export it as a .pfx file.

Comments

Post a Comment

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

SOAPUI - import certificate

Session Timeout in Oracle Access Manager