This document is deprecated. Up-to-date instructions are available at:
This page describes how to obtain a certificate on Windows 2008 without using IIS Manager. The instructions have been tested using Windows Server 2008 R2. The version of certmgr.msc supplied with Windows 2003 is different and these instructions do not apply.
Generate a new private key and certificate signing request (CSR)
- Log in as Administrator.
- Open the Certificate Manager console (click Start > Search programs and files > certmgr.msc).
- Open your Local Computer certificates (click File > Add/Remove Snap-in... > Certificates > Computer account > Next > Local computer > Finish).
- Select Certificates (Local Computer) > Personal > Certificates.
- With the Personal Certificates for the Local Computer highlighted, click Action > All Tasks > Advanced Operations > Create Custom Request. This will open the Certificate Enrollment wizard.
- In the Certificate Enrollment wizard:
- Read the Before You Begin screen and click Next.
- On the Select Enrollment Policy screen, under Custom Request, select Proceed without enrollment policy and click Next.
- On the Custom request screen
- For Template, choose "(No template) Legacy key" from the drop-down menu, and leave "Suppress default extensions" unchecked.
- For Request format, select PKCS#10.
- Click Next.
- On the Certificate Enrollment screen, click Details, then click Properties. This will open a Certificate Properties dialog box.
- On the General tab, enter a Friendly name and Description for your certificate.
- On the Subject tab
- Select Common Name from the Type menu, enter your fully qualified DNS name for the value, and click "Add >".
- Select Organization from the Type menu, enter "University of Washington" for the value, and click "Add >".
- Select State from the Type menu, enter "WA" for the value, and click "Add >".
- Select Country from the Type menu, enter "US" for the value, and click "Add >".
- Optionally, select Email from the Type menu, enter an email address for the value, and click "Add >".email.
- Optionally, add Subject Alternative name values, if you need them.
- On the Extensions tab
- Expand "Key usage" and add "Digital signature" to the selected options, and verify that "Make these key usages critical" is checked.
- Expand "Extended Key Usage (application policies)" and add "Server Authentication" and "Client Authentication" to the selected options, and verify that "Make the Extended Key Usage critical" is checked.
- On the Private Key tab
- Expand Cryptographic Service provider and select
"Microsoft Strong Cryptographic Provider (Signature)" "Microsoft RSA SChannel Crytographic Provider (Encryption)".
- Expand Key Options and select "2048" from the Key size drop-down menu.
- If you will need to export the certificate to use on another host, select "Make private key exportable". This will be important if you have a server cluster or you will be using the new "Central Certificate Store" option available with IIS8.
- Click OK.
- On the Certificate Information screen, click Next.
- Enter a file name for your CSR (e.g. certname.req)
- Select "Base 64" as the File Format.
- Click Finish.
Submit the CSR and retrieve the certificate
- Submit the CSR to UW Certificate Services at https://iam-tools.u.washington.edu/cs/
- Select "New InCommon certificate" if you need an SSL certificate for a web server or other device. Detailed instructions are available.
- Select "New UWCA certificate" if you need a certificate for client authentication to infrastructure such as web services or directories. Detailed instructions are available.
- For either set of instructions you will need to paste your CSR into a web form. To do this step, open your CSR file (i.e. certname.req from step 6.f. above) in a text editor, then copy the contents and paste it in the CSR text box on the web form.
- Retrieving and saving the certificate
- Once your certificate has been signed you will be notified via email. Follow the link in the email to be directed to your certificate.
- Click on the "Get PKCS7" button. See note in step #19 of these instructions for help with saving your certificate to a file.
- Save the file in the same location as your CSR (certname.req). Windows normally uses the .p7b extension for PKCS7 formatted files (i.e. certname.p7b), but you can also use the extensions .cer and .pkcs7.
Import certificate into the certificate store
- To install the certificate into a service account's certificate store:
- Open a command prompt as the service account
- Run "certreq -accept -user"
- To install the certificate into the local machine certificate store:
- Open a command prompt as an administrator
- Run "certreq -accept -machine"
- If Windows fails to match the certificate with it's corresponding private key during import, follow these instructions.