Open the “Certificates” snap-in in MMC by following these steps: Win+R > mmc.exe > OK > File > Add/Remove Snap-in > Certificates > Add > Computer account > Next > Local computer > Finish > OK
In the “Personal > Certificates” panel, right-click on the blank space and follow All Tasks > Advanced Operations > Create Custom Request’ to open the “Certificate Enrollment” wizard:
Make sure that the default “Proceed without enrollment policy” option is selected and click “Next”:
On the next screen, leave the pre-selected options “(No template) CNG key” and “PKCS#10” and click “Next”:
Now we need to open the window, in which we will adjust the certificate request in the way that we can receive the certificate with the correct information and using the required key type. Click the drop-down arrow on the right and then the “Properties” button.
Add a friendly name value to the appropriate field so that you can identify this request entry in future. This field is used to give a name to the certificate, which can be the domain name the certificate will be issued for or virtually any other name:
On the next tab called “Subject”, we need to add a few fields to the request and specify their values. The most essential field types that must be present in the request are:
- Common name: fully qualified domain name for which the certificate is to be issued
- Country: 2-letter country code compliant with ISO 3166. The correct code can be checked here.
- State: name of the state or region; can be the same as the city name
- Locality: city name
- Organization: company name should be specified here
NOTE: If you need to add subject alternative names to the request, you can do it in the “Alternative name” section. Select the “DNS” field type and add the domain names one by one:
The result should look similar to this:
The last tab in this window we should open and review is the “Private key”. Let’s expand the “Cryptographic Service Provider” section and have a look. The default option here is the “RSA” algorithm, which is the industry standard today, although you can opt for 'ECDSA' (if you need to issue an ECC certificate) by checking one of the entries on the picture below:
In the “Key options” section, if the RSA algorithm is used, make sure that “Key size” is set to at least 2048-bit.
NOTE: The certificates based on a key with the size less than 2048-bit are considered to be not secure, and the trusted Certificate Authorities do not issue them anymore.
If you plan to export the certificate, for example, for the installation on another instance, it is required to check the “Make private key exportable” option:
Now we can click “Ok” and move further.
The last screen of the “Certificate Enrollment” wizard requires us to specify the name of the file the CSR code will be saved into and its location in the file system. Also, make sure that “File Format” is set to “Base64”. Then click the “Finish” button to initiate the private key and CSR generation with the attributes we have set just now: