How can I generate a certificate request on Windows Server 2008 for SqlServer 2008 w/o IIS installed

I'm trying to generate a CSR for an SSL certificate to encrypt connections to my SqlServer 2008 instance located on a Windows Server 2008 server. Most of the documentation I've read mentions using the CSR wizard in IIS. This is a dedicated db server which does not have IIS installed.

Other documentation says to use the MMC Certificate Manager snap-in and right-click on Certificates node under Certificates (Local Computer) - Personal and select "All Tasks\Request New Certificate". I don't have this option under "All Tasks". All I have under All Tasks is "Import..." and "Advanced Operations...>". Then under Advanced Operations I have the option to "Create Custom Request" which seems to require way more information than I have available to me.

Has anyone encountered this situation before and/or have any suggestions as to how to generate a csr using a template that my SSL cert provider can handle?

Many thanks,

Terry


Solution 1:

Use OpenSSL. It's a command line based utility that'll generate your CSR for you. It's a 2 liner, literally! Creating your key, and then creating the CSR with that key.

1. Key Generation

openssl genrsa -des3 -out filename.key 2048

This command should create a file with name filename.key in the directory from which the > command is ran. The output will be similar to:

Generating RSA private key, 2048 bit long modulus

Enter pass phrase for filename.key: 
Verifying - Enter pass phrase for filename.key: 

Choose and enter a passphrase for filename.key and remember it because it will be needed later. Successful outcome of this use case is the key file generation. File filename.key can be viewed by using Notepad on Windows or text editor on Unix/Linux.

2. CSR Generation

openssl req -new -key filename.key -out filename.csr

where filename.key is the file generated previously. This command should create a file filename.csr that contains Certificate Signing Request. The output will look similar to:

Enter pass phrase for filename.key: 
 

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank.

This procedure should create file filename.csr that contains CSR in PKCS#10 format. This CSR needs to be delivered to the CA administrator.

Successful outcome of this use case is CSR file generation. File filename.csr can be viewed by using Notepad on Windows or text editor on Unix/Linux. The content of the file should be similar to:

-----BEGIN CERTIFICATE REQUEST-----

MIIB/TCCAWYCAQAwgYExCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENv
bHVtYmlhMRIwEAYDVQQHEwlWYW5jb3V2ZXIxETAPBgNVBAoTCFRlc3QgT3JnMRUw
...snip...