Ask a Question

Certificate Signing Request (CSR) Generation for Elliptical Cryptography Curve (ECC) Encryption Algorithms on Microsoft Windows 2008 Servers

Solution

This document provides instructions for generating a Certificate Signing Request (CSR) with an Elliptical Cryptography Curve (ECC) encryption algorithm on a Microsoft Windows 2008 Server.  If you are unable to use these instructions for your server, Symantec recommends that you contact Microsoft.

 


Watch a video demo to generate a CSR with an ECC encryption algorithm on a Microsoft Windows 2008 server

 

 

NOTE:  If you are unable to view the video player, please click here to view from the video's web page.

 

To generate the CSR for Microsoft Windows 2008 Servers, perform the following steps:

Part 1: Create a Snap-in for Certificates in a Microsoft Management Console
 

  1. Click the Start button and perform a search for MMC
  2. On the MMC window, click File > Add/Remove Snap-in
  3. Select Certificates from the left column
  4. Click Add
  5. When the Certificate Snap-in wizard appears, select Computer Account
  6. Click Next
  7. Keep Local computer selected
  8. Click Finish
  9. Confirm Certificate appears on the right column
  10. Click OK



Part 2:  Generate the CSR file from the Personal Certificate Store in MMC
 

  1. From the MMC window, drop down the Certificate tree
  2. Right click the Personal folder
  3. Select All Tasks > Advanced Operations > click Create Custom Request
  4. On the Certificate Enrollment wizard, click Next
  5. Select Proceed without enrollment policy
  6. Click Next
  7. Under Template, select (No template) CNG key
  8. Under Request Format, select PKCS#10
  9. Click Next
  10. When the Certificate Information window appears, click the drop down arrow next to Details
  11. Click Properties
  12. Enter a Friendly Name
    NOTE:  The Friendly Name is mainly used to state a department or a fictitious name to help identify the certificate on the server.
     
  13. Click the Subject tab
  14. Drop down the menu for Type and enter the information in the Value field clicking the Add button when each field is completed.  Do this for the following fields:

    Common Name:  The fully-qualified domain name to which your certificate will be issued.
    Country:  Enter the two-character abbreviation of country in which organization resides (e.g. US).
    Locality:  Usually the city of your organization's main office, or a main office for your organization.
    Organization:  The full legal name of your company.
    Organizational Unit:  Use this field to differentiate between divisions within an organization.
    State:  Enter the full name of your state or province.
    Note: Make sure the State or Province is not abbreviated (e.g. California).
     
  15. Click the Private Key tab
  16. Click the drop down arrow next to Cryptographic Service Provider
  17. Uncheck the defaulted selected box for RSA
  18. Check the box for ECDH_P256
    NOTE:  At the time of this document was published, Symantec currently support only the ECDH_P256 elliptic curve for Microsoft servers.
     
  19. Click the drop down arrow next to Key options
  20. Check the box Make private key exportable
    NOTE:  This option makes it possible to backup or export the certificate from the server.
     
  21. Click Apply > OK
  22. On the Certificate Enrollment wizard, click Next
  23. Click Browse
  24. From the Save-as window, navigate to a location for saving the file
  25. Enter a file name
  26. Click Save
  27. On the Certificate Enrollment wizard, select Base 64
  28. Click Finish


The CSR has now been created.  When opening the CSR file, ensure only a plain-text editor application is used (ex. Notepad or Vi).