Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Overview

Sometimes you need to export the private key for a Windows SSL certificate.  By default, certificate signing requests do not allow the private key to be exported.  This document explains how to generate a Certificate Signing Request (CSR) that will allow the private key to be exported.  CSRs with exportable keys cannot be generated from the IIS Manager–you must use the Windows certificate manager.  

Procedure

  1. Log in as an administrator
  2. From a command prompt or the run menu:
    1. To create the certificate in the local machine store (recommended):
      1. Type mmc
      2. On the File menu, click Add/Remove Snap-in.  Click Certificates in the left pane, then click Add.  
      3. Select Computer Account, then click Next.
      4. Select Local Computer, then click Finish.  
      5. Click OK.  
    2. To create the certificate in the logged on user's personal store:
      1. Type certmgr.msc
  3. In the left pane expand Certificates (Local Computer), expand  Personal, then click Certificates.  
  4. On the Action menu, click All Tasks, then click Advanced Operations, then click Create Custom Request.
  5. Click Next.
  6. Select Proceed without enrollment policy.  Click Next.
  7. In the Template menu, select (No template) CNG key
  8. Under Request Format, select PKCS #10.  Click Next.  
  9. Click the arrow next to Details to expand the selection.  Click Properties.  
  10. On the General tab, provide a Friendly name and Description for the certificate.  These can be anything you want.  
  11. On the Subject tab, in the Subject name box:
    1. In the Type menuselect Common name.  In the Value field, type the fully qualified domain name of the server (e.g. myhost.washington.edu), and click Add.  
    2. In the Type menuselect State.  In the Value field, type WA.  Click Add.
    3. In the Type menuselect Country.  In the Value field, type US.  Click Add.
  12. On the Private Key tab, expand Key Options.  
  13. In the Key size menu, select a value of at least 2048.  
  14. Check Make private key exportable.  
  15. Click OK.
  16. Click Next.
  17. Choose a file name and location for the CSR file.  Select Base 64.  Click Finish.  
  18. Submit the CSR to UW Certificate Services.  Once the certificate is signed, install it as you would any other certificate.  

Alternative

If you do this frequently, you may find it easier to install OpenSSL and generate CSRs from the command line–OpenSSL will create the private key in a separate text file with no hassle.  OpenSSL for Windows is available at:

http://slproweb.com/products/Win32OpenSSL.html

OpenSSL can also convert certificates to and from various formats.  

  • No labels