Microsoft Servers: Create ECC CSR and Install ECC SSL Certificate

Creating an ECC CSR and installing your SSL certificate on your Microsoft server

Before generating an ECC CSR (Elliptic Curve Cryptography Certificate Signing Request) and ordering an ECC SSL Certificate form DigiCert, make sure that your environment is compatible with ECC SSL Certificates. For more information about Elliptic Curve Cryptography, see Elliptic Curve Cryptography ECC Explained.

Use these instructions to generate the ECC CSR and then install your ECC SSL Certificate.

  1. To create your ECC CSR, see Microsoft Servers: Create Your ECC CSR (Certificate Signing Request).

  2. To install your ECC SSL Certificate, see Microsoft Servers: Install Your ECC SSL Certificate.

1. Microsoft Servers: Create Your ECC CSR (Certificate Signing Request)

These instructions were created on Windows Server 2012. Depending on which Microsoft platform or operating system you are using, you may need to modify these instructions accordingly.

How to Create Your ECC CSR Using the Microsoft Management Console (MMC)

  1. Open Microsoft Management Console as an admin.

    1. On the Windows Start screen, type mmc.

    2. Right-click on mmc.exe and then click Run as administrator.

    3. In the User Account Control window, click Yes to allow the program to make changes to the computer.

  2. In the MMC Console, click File > Add/Remove Snap-in.

    MMC Console

  3. In the Add or Remove Snap-ins window, under Available snap-ins, select Certificates and then, click Add.

    MMC Console add snap-in

  4. In the Certificate snap-in window, select Computer account so that you can manage the certificates that are installed on this computer.

    MMC Console add snap-in

  5. In the Select Computer window, select Local computer: (the computer this console is running on) and then, click Finish.

    MMC Console add snap-in

  6. In the Add or Remove Snap-ins window, click OK.

    MMC Console add snap-in

  7. In the MMC Console, in the console tree, expand Certificates > Personal, right-click on the Certificates folder, and then, click All Tasks > Advanced Operations > Create Custom Request.

    MMC Console create custom request

  8. In the Certificate Enrollment wizard, on the Before You Begin page, click Next.

    MMC Console Certificate Enrollment wizard

  9. On the Select Certificate Enrollment Policy page, select Process without enrollment policy and then, click Next.

    MMC Console Certificate Enrollment wizard

  10. On the Custom request page, do the following things, and then click Next.

    Template: In the drop-down list, select (No template) CNG key.
    Request format: Select PKCS #10.

    MMC Console Certificate Enrollment wizard

  11. On the Certificate Information page, expand Details (click the drop-down arrow) and then click Properties.

    MMC Console Certificate Enrollment wizard

  12. In the Certificate Properties window, on the General tab, do the following:

    Friendly name: Type a friendly name for the ECC SSL Certificate.
    Note: The friendly name is not part of the certificate; instead, it is used to identify the certificate.
    Description: Type a brief description about the certificate.

    MMC Console Certificate Enrollment wizard

  13. On the Subject tab, under Subject name, select a Type, enter the appropriate Value for the type, and then click Add.

    Type Value
    Common name Enter the fully-qualified domain name (FQDN) (e.g., www.example.com).
    Organization Enter your company's legally registered name (e.g., YourCompany, Inc.).
    Organizational unit Enter the department within your organization that you want to appear on the ECC SSL certificate.
    Locality Enter the city where your company is legally located.
    State Enter the state/province/region where your company is legally located.
    Country Enter the country where your company is legally located.

    MMC Console Certificate Enrollment wizard

  14. If you are ordering a Multi-Domain (SAN) or an EV Multi-Domain ECC SSL certificate, enter additional hostnames (e.g., example2.com, example3.net, mail.example.net) that you want your EV Multi-Domain or Multi-Domain (SAN) certificate to secure.

    1. Under Alternative name, in the Type drop-down list, select DNS.

    2. In the Value box, enter an additional hostname that you want the certificate to secure and then click Add.

    3. Repeat for each additional hostname that you want to add to the certificate.

    MMC Console Certificate Enrollment wizard

  15. On the Private Key tab, expand Cryptographic Service Provider and then under Select cryptographic service provider (CSP), do the following:

    1. Uncheck RSA, Microsoft Software Key Storage Provider.

    2. Check ECDSA_P256, Microsoft Software Key Storage Provider.

      Recommended ECC key size is 256-bit. If greater encryption strength is required, your other private key option is 384.

      Note: You can select any of the ECDSA options for your ECC SSL Certificate. However, do not use the ECDH options.

    MMC Console Certificate Enrollment wizard

  16. Next, expand Key options and check Make private key exportable.

    MMC Console Certificate Enrollment wizard

  17. Finally, click Apply and then click OK.

  18. In the Certificate Enrollment wizard, on the Certificate Information page, click Next.

    MMC Console Certificate Enrollment wizard

  19. On the Where do you want to save the offline request page, do the following:

    1. For the File format, select Base 64.

    2. In the File Name box, type a name for your CSR file (e.g., ecc_ssl_csr).

    3. Click Browse to select the location where you want to save the CSR (.req) file and then click Save.

      Make sure to note the filename and the location where you saved your CSR file.

    4. Click Finish.

    MMC Console Certificate Enrollment wizard

  20. Use a text editor (such as Notepad) to open the file.

    Notepad - CSR

  21. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and enter it into the DigiCert order form.

    Note: During your DigiCert SSL Certificate ordering process, when asked to Select Server Software, make sure that you select OTHER. This option ensures that you receive all the required certificates.

    Notepad - CSR

    Ready to Order Your SSL Certificate

    Buy Now Learn More

  22. After you receive your ECC SSL certificate from DigiCert, you can install it.

2. Microsoft Servers: Install Your ECC SSL Certificate

If you have not yet created your ECC Certificate Signing Request (CSR) and ordered your certificate, see Microsoft Servers: Create Your ECC CSR.

After receiving your ECC SSL Certificate, you need to install it on your Microsoft server and then, you can configure your Microsoft server to use it to secure your website.

To Install and Configure Your ECC SSL Certificate:

  1. Install your ECC SSL Certificate in to the Certificate Store.

    See How to Import Your ECC SSL Certificate in to the Certificate Store.

  2. Install the DigiCert ECC intermediate certificate in to the Certificate Store.

    See How to Import the DigiCert ECC Intermediate Certificate in to the Certificate Store.

  3. Associate your ECC SSL Certificate with its private key.

    See How to Associate Your ECC SSL Certificate with its Private Key.

  4. Configure your Microsoft server software to use the ECC SSL Certificate.

    See Configure Server Software to Use the ECC SSL Certificate.

i. How to Import Your ECC SSL Certificate in to the Certificate Store

  1. On the Microsoft server where you created the ECC CSR, open the ZIP file containing your ECC SSL Certificate and save the contents of the file (e.g., your_domain_name.cer).

  2. Open Microsoft Management Console as an admin.

    1. On the Windows Start screen, type mmc.

    2. Right-click on mmc.exe and then click Run as administrator.

    3. In the User Account Control window, click Yes to allow the program to make changes to the computer.

  3. In the MMC Console, in the console tree, expand Certificates > Personal, right-click on the Certificates folder, and then, click All Tasks > Import.

    MMC Console

  4. In the Certificate Import Wizard, on the Welcome to the Certificate Import page, click Next.

    MMC Console Certificate Import Wizard

  5. On the File to Import page, click Browse to browse for and select the .crt certificate file (e.g., your_domain_com.crt) that you saved to your server, click Open, and then, click Next.

    MMC Console Certificate Import Wizard

  6. On the Certificate Store page, do the following:

    1. Select Place all certificates in the following store.

    2. Click Browse.

    3. In the Select Certificate Store window, select Personal.

    4. Click OK.

    5. On the Certificate Store page, click Next.

    MMC Console Certificate Import Wizard

  7. On the Completing the Certificate Import page, review your settings and then, click Finish.

    MMC Console Certificate Import Wizard

  8. Your ECC SSL Certificate should now be in the Certificate Store.

ii. How to Import the DigiCert ECC Intermediate Certificate in to the Certificate Store

  1. Open Microsoft Management Console as an admin.

    1. On the Windows Start screen, type mmc.

    2. Right-click on mmc.exe and then click Run as administrator.

    3. In the User Account Control window, click Yes to allow the program to make changes to the computer.

  2. In the MMC Console, in the console tree, expand Certificates > Personal, right-click on the Certificates folder, and then, click All Tasks > Import.

    MMC Console

  3. In the Certificate Import Wizard, on the Welcome to the Certificate Import page, click Next.

    MMC Console Certificate Import Wizard

  4. On the File to Import page, click Browse to browse for and select the DigiCertCA.crt file that you saved to your server, click Open, and then, click Next.

    MMC Console Certificate Import Wizard

  5. On the Certificate Store page, do the following

    1. Select Place all certificates in the following store.

    2. Click Browse.

    3. In the Select Certificate Store window, select Intermediate Certification Authorities.

    4. Click OK.

    5. On the Certificate Store page, click Next.

    MMC Console Certificate Import Wizard

  6. On the Completing the Certificate Import page, review your settings and then, click Finish.

    MMC Console Certificate Import Wizard

  7. Your DigiCertCA.crt intermediate certificate should now be in the Certificate Store.

iii. How to Associate Your ECC SSL Certificate with Its Private Key

  1. Locate your ECC SSL Certificate and record the serial number.

    1. Open Microsoft Management Console as an admin.

      1. On the Windows Start screen, type mmc.

      2. Right-click on mmc.exe and then click Run as administrator.

      3. In the User Account Control window, click Yes to allow the program to make changes to the computer

    2. In the MMC Console, in the console tree, expand Certificates > Personal and then click Certificates.

      MMC Console

    3. In center pane double-click your ECC SSL Certificate

    4. In the Certificate window, on the Details tab, click Serial number and record your certificate's serial number.

      MMC Console Certificate

  2. Open the Command Prompt as an admin.

    1. On the Windows Start screen, type cmd.

    2. Right-click on Command Prompt and then click Run as administrator.

    3. In the User Account Control window, click Yes to allow the program to make changes to the computer

  3. In the Administrator: Command Prompt window, type the following command, making sure to put your certificate's serial number in quotes and to remove all spaces:

    certutil -repairstore my "serial number"

    Command Prompt

  4. You should see the following confirmation message:

    certutil: –repairstore command completed successfully

    Command Prompt

iv. Configure Server Software to Use the ECC SSL Certificate

After you have imported your ECC SSL Certificate, you need to configure your Microsoft server to use it to secure your website or email connections. Follow the instructions for your specific server platform.

Export an SSL Certificate

If you need to export an installed SSL Certificate from a Microsoft server type with its corresponding private key as a .pfx file to use either as a backup or for importing to another server, see DigiCert SSL Cert Util SSL Import/Export Instructions.

Test your Installation

To verify that the installation is correct, use our DigiCert® SSL Installation Diagnostics Tool and enter the DNS name of the site that you are securing to test your SSL Certificate (e.g., www.yourdomain.com, or mail.yourdomain.com).



Related links

SSL Certificates

SSL Support