The process of applying for and the issuance of PKI certificates (Public Key Infrastructure)
Basically, the process of applying for and issuing PKI certificates is not dependent on any particular technology. It follows this pattern:
- A public and private key will be generated to represent the identity.
- A "Certificate Signing Request" (CSR) is generated by using the public key and some information about the identity.
- The certificate authority uses information from the CSR, your own public key, authorization information, and a "signature" generated by your own private key to create a certificate.
The details of these steps vary between implementations. Please focus on the issueing. You do not need any further details. There is a specific process for issueing a certificate. Every certificate authority has a process that determines whether you will be issued with a certificate or not.
Certificate Signing Request by using MMC
The MMC registration offers a high level of flexibility. You can request certificates for you, your own computer or another entity. You can requesting certificates by using MMC with all windows versions and windows servers the only requirement is a graphical user interface.
Please open the command console!
- ) Please start the Microsoft Management Console (MMC) by searching for MMC in the windows search or in the command console (CMD).
- ) Click on "File" and navigate to "Add/Remove Snap-in..."
- ) Choose "Certificates" and confirm it by pressing "Add"
- Choose a objecttype for your certificate. "My user account" is the account where the MMC runs. If you choose it the assistant will be closed. Please choose "Computer account".
If you choose "Service account" or "Computer account" the assistant switches to the computer selection. If you choose another computer rather than your local computer, it shows the certificate storage of it and saves all changes into these storages.
In the next step we choose "Local computer". Confirm it by pressing "Finish" then "Ok".
If you chose "Service computer", you will receive a list with service computers from which you can choose.
- ) Double click on the certificates (local computer) to expand the view. Right click on "Personal" then "All Tasks"-->"Advanced Operations"-->"Create Custom Request"
- ) Now the Wizard window appears. Please click on "Next" to continue the process.
- Select the "(No template) Legacy key" and the requested format "PKCS#10". Confirm the selections by pressing "Next"
- ) Expand the view pressing on "Details" and click on "Properties"
Choose a name and a description.
- ) Navigate to the "Subject" tab and choose in the "Subject name" window the dropdown selection "Common Name". You can put your domain into the "Value" text box und confirm it by clicking "Add".
Specificate other details like:
Organization/O = Company, Organization Unit/OU = Department, Locality/L = Location, State/ST = State, Country/C = Country.
If Subject Alternative Names (SAN) are required for the certificate, select DNS under Type in the Alternative name window.
- ) Under the "Private Key" tab you can expand the view by clicking on Cryptographic Service Provider. Only "Microsoft RSA Schannel Cryptographic Provider (Encryption)" should be selected.
- Expand the view by clicking on "Key Options". The minimum of the key length should be 2048 Bits. Please make sure that "Make private key exportable" is checked.
- Expand the view by clicking on "Key type" and choose "Exchange" and confirm it by pressing "Apply" then "OK"
- Now you can choose how you want to name the certificate and where you save it.