JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Generate a CSR with certreq on Windows Server

Certreq is a Microsoft tool made for private key and Certificate Signing Request (CSR) management. It is available from Windows Vista and Windows Server 2008. Here is the procedure to generate a private key and a CSR :

Step 1: Configuration file

You first need to write a configuration file that will be read by certreq to generate your CSR. You can find our template here on which you just need to edit the Subject line. This file is valid for Server and Developper certificates.

Each field is separated by a comma and is following the key=value form. Here is the list of all generally accepted fields:
  • CN: Common name / domain name / server name /FQDN :
    Indicate here your SSL server name, such as "secure.company.com", "www.my-domain.com" or "www.product.com". No IP address (learn more). No spaces nor blank characters.

    In the case you want to order a multiple-domains / SANs certificate, just enter the main address in the CSR. This one cannot be change during your certificate lifetime. Enter the other address to secure in the order form (those ones can be modified via reissuance).

    N.B.: Using certificates with internal names (xxx.local, yyy.priv, machine_name) or a domain that is not registered or controlled by IANA is disapproved by the CA/Browsers Forum and won't be accepted anymore by November 2015 (learn more).

  • O: Organization / Company Name :
    indicate the corporate name of your company (no trade name or acronym), in uppercase preferably.

  • ST:State:
    in France indicate the name of the department where your company headquarters are based (not the number).

  • L:L: Location / City:
    indicate the city where your company headquarters are based.

  • C: C: Country:
    indicate FR if your company is in France, BE for Belgium, etc, in uppercase preferably.

  • OU:OU: Organisational unit / Department / Branch :
    We advise not to fill in this field or to enter a generic term such as "IT Department".

Here is a config line example:
                                                                                                                                                                                                                                                                                                                         
  Subject = "C=FR, O=TBS Internet, L=Caen, ST=Calvados, CN=www.tbs-internet.com"                                                                                                                                                                                                                                              

RGS certificates

To generate a valid CSR for RGS certificates orders, you need to add the field "2.5.4.97=VOTRE_ORGANIZATION_IDENTIFIER" to the template Subject field.

Step 2 : Execute certreq

Now execute the following command (as administrator):
                                                                                                                                                                                                                                                                                                                         
  certreq -new tbsTemplate.inf myCSR.txt                                                                                                                                                                                                                                                                                     
You can now copy/paste your CSR in TBS INTERNET order form.

Install a certificate whose private key was generated with certreq

To install a certificate whose key has been generated with this method, you will need to install your PKCS#7 (.p7b) certificate by completing the install with certreq:
certreq -accept C:\myCert.p7b
Your certificate will be linked to your private key and will now be usable.

External links