Search code examples
csrcode-signing-certificatespc

Generating Certificate Signing Request using Management Console

I am following

https://godaddy.com/help/windows-generate-csr-for-code-or-driver-signing-certificate-7282

guide to generate a CSR to request a code signing/software publishing certificate.

In management console when I Right-click Certificates, and then go to All Tasks > Advanced Operations > Create Custom Request & Click Next I don't find "Active Directory Enrollment Policy" to select.

I don't know Whether I need to download any template or generate some custom policy and how?

I am using windows 8 and my user account is not under any active directory domain nor I administer any active directory.

I am not sure if it is the right forum to ask this question. Pardon me, and direct me to the right forum, if it is not.

Solution

  • I ran into the same problem today and found the solution on MSDN. Try the following:

    1. Instead of selecting Active Directory Enrollment Policy select Proceed without enrollment policy.
    2. Click Next.
    3. Select (No template) CNG key from the Template list.
    4. Select PKCS #10 as the Request format.
    5. Click Next.
    6. Click the Details arrow and then the Properties button.
    7. Enter a name for your certificate in Friendly name box on the General tab.
    8. Click the Subject tab.
    9. Under Subject name, select Common name from the Type list. Enter a common name in the Value box and click the Add button.
    10. Repeat step 9 for Organizational unit, Locality, State and Country.
    11. Click the Extensions tab.
    12. Under Key usage select Digital signature and click the Add button.
    13. Under Extended key usage select Code signing and click the Add button.
    14. Under Basic constraints click the Enable this extension checkbox.
    15. Click the Private key tab.
    16. Under Key options select 2048 as the Key size.
    17. Click the Make private key exportable checkbox.
    18. Under Select hash algorithm select sha256 from the Hash Algorithm list.
    19. Click OK.

    So far it appears to be working. I was able to use my new code signing certificate to export a PFX file and successfully sign an executable.

    Note: I chose sha256 instead of sha1 in step 18 because SHA-1 is deprecated.