Generating Certificate Signing Requests on Windows Machines

Create a file called request_import.txt, with the following contents. The file has steps at the start of generating the CSR.

; 1. Copy template folder and create new folder which matches the common name of the certificate required
; 2. Edit the details below to match the certificate requirements
; 3. In an elevated shell, change working directory to where this file resides and run the following command
; certreq -new request_import.txt myrequest.csr
; 4. The command will output the CSR, which be uploaded to the certificate provider
; 5. Once the certificate is received, import to the computer personal store on the same computer as the certificate was generated, then export as a pfx and save in the same location as the csr

Subject = ",OU=IT Dept,O=Contoso,L=CAMBRIDGE,S=Cambridgeshire,C=GB" ; E.g. "", or "CN=*" for a wildcard certificate
Exportable = TRUE
KeyLength = 2048 ; Required minimum is 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
HashAlgorithm = SHA256

OID= ; Server Authentication
OID= ; Client Authentication
[Extensions] = "{text}"
continue = "dns=vpn.contoso.comk&"

continue = ""
continue = ""

Sometimes it is necessary to split a pfx in to certificate and private key due to software not being able to handle import of PFX files. The following will generate a private.key and certfilename.crt file from a PFX when run in powershell. This relies on OpenSSL, which is stored in the Certificates folder.

Open Powershell as an administrator Change the working directory to the location of the PFX file Run the following command to generate the private key .._OpenSSL-Win64\bin\openssl.exe pkcs12 -in *.pfx -nocerts -out private.key Run the following command to generate the certificate file .._OpenSSL-Win64\bin\openssl.exe pkcs12 -in *.pfx -clcerts -nokeys -out certfilename.crt