Generate SSL certificate request using Microsoft Management Console (MMC) certificates snap-in

From Notes_Wiki

Home > Windows > Windows Server 2016 > Generate SSL certificate request using Microsoft Management Console (MMC) certificates snap-in

For converting between different types of certificate you can use Openssl

Generate new request to get signed by CA

To generate an SSL certificate request using the MMC Certificates snap-in:

  1. Open the Microsoft Management Console (MMC) (open run dialog box and type mmc OR) :
    1. Click Start.
    2. In the Search box, type mmc.
    3. Click mmc.exe.
  2. Click File > Add/Remove Snapin.
  3. Click Certificates > Add > OK.
  4. Select Computer Account and click Next.
  5. Ensure Local Computer is selected, then click Finish > OK.
  6. Expand Certificates (Local Computer).
  7. Right-click Personal, then click Select All Tasks > Advanced Operations > Create Custom Request.
  8. In the Certificate Enrollment section, click Next.
  9. Select Proceed without enrollment policy and click Next.
  10. In the Custom Request section, select (No Template) Legacy Key in the dropdown.
  11. Ensure PKCS #10 is selected and click Next.
  12. In the Certificate Information section, click arrow button next to Details and click Properties.
  13. In the General tab, type appropriate friendly name
  14. Click the Subject tab.
  15. In the Subject Name field, enter the information below.
    Note: Click Add after entering the information for each Type.
    Type = Common Name
    Value = FQDN of View Server
    Type = Country
    Value = 2-character country code (for example: IN)
    Type = Locality
    Value = Your city location (Eg: Hyderabad)
    Type = Organization
    Value = Your company (Eg: Rekall Software)
    Type = Organization Unit
    Value = your department (for example: IT)
    Type = State
    Value = Full state name (Eg: Telangana)
  16. After entering all the Type information, click OK.
  17. Click the Private Key tab.
    1. Under "Cryptographic Service Provider" section only "Microsoft RSA SChannel cryptographic Provider (Encryption)" should be selected. Rest all should be unchecked.
    2. Click Key Options > Key Size, and set the value to 2048.
    3. Click Key Options and ensure Make Private Key Exportable is selected.
    4. Under "Key Type" we should select "Exchange"
  18. Click OK > Next.
  19. Save the offline request at preferred location with desired name.
  20. Use the saved .req request file to obtain a certificate from your third-party SSL Certificate Authority (CA).
  21. Note: Most Certificate Authorities require you to open the request file in a plain text editor and copy all the text into their web page. Ensure there are no leading or trailing spaces.


Sign the certificate using AD CA

To sign the certificate using AD CA use:

  1. Login into AD server and open Certificate Authority snap-in
  2. Right click and under "All tasks" go to "Submit new request"
  3. Browse the request (.req) file generated above and submit it.
  4. Go to "Pending Requests"
  5. Right click on request and go to "All tasks" -> "Issue"
  6. Go to "Issued Certificates"
  7. Double click certificate to open it.
  8. From "Details" tab use option "Copy to File" to download the signed (issued) certificate from CA.


Import the signed certificate

Once the request generated above is signed by a CA use following steps to import signed certificate into the server

  1. Download the certificate from the Certificate Authority.
    Note: Download the Tomcat version and/or P7B if available, or the certificate and the bundle depending on how your Certificate Authority provides it.
  2. Open the MMC Certificates snap-in for the Local Computer account.
  3. Expand Personal Folder and right-click Certificate Folder, then click Select All Tasks > Import.
  4. In the Welcome to the Certificate Import Wizard, click Next.
  5. Browse and select the Certificate File you wish to import, then click Open.
  6. Ensure that these options are always selected when available:
    • Mark the Private Key Exportable
    • Import all Extended Properties
    • Import all Certificate in the Chain
  7. Click Next.
  8. Select Automatically select the certificate store based on the type of certificate and click Next.
  9. Complete the Certificate Import Wizard and click Finish.
    Important: Ensure there is a key icon on the new certificate. The icon indicates that the Private Key is stored in the certificate store you imported the signed certificate to. If you do not see the key icon, you are missing the private key on this certificate store.
  10. If it is possible to install IIS (at least temporarily and remove later if not required) to test SSL certificate it would help. This way we can validate that apart from certificate and private key, the root CA and other intermediates have been imported properly.


Export a signed certificate to import on another server

To export certificate along with key to import on another server use:

  1. Open MMC and add certificates snap-in for local computer account
  2. Right-click the Certificate and click Select All Tasks > Export.
  3. In the Welcome to the Certificate Export Wizard, click Next.
    • Select option for exporting the private key.
  4. Click Next.
  5. Select these options:
    • Personal Information Exchange - PKCS #12 (.PFX)
    • Export all Extended Properties
    • Include all Certificates in the certification path if possible
  6. Type and confirm a password.
    Note: Ensure you make a note of the password you choose. It will be used when you want to import this PFX file.
  7. Click Next.
  8. Enter a file name (.pfx) in the File Name field, then click Next > Finish.


Refer:


Incorrect method for generation of certificate

Note that selection of "(No Template) Legacy Key" while generating certificate is critical. There are wrong references such as https://knowledge.digicert.com/solution/SO29005.html which indicate that we can select "(No Template) CNG Key". This does not works with many Windows based services (such as VMWare Horizon)

Further missing to select correct "Cryptographic Service Provider" and "Key Type" of Exchange is also observed to create issues.

While importing and exporting missing to make private key exportable or missing extended attributes will also lead to issues.


Home > Windows > Windows Server 2016 > Generate SSL certificate request using Microsoft Management Console (MMC) certificates snap-in