7

I am following

https://godaddy.com/help/windows-generate-csr-for-code-or-driver-signing-certificate-7282

guide to generate a CSR to request a code signing/software publishing certificate.

In management console when I Right-click Certificates, and then go to All Tasks > Advanced Operations > Create Custom Request & Click Next I don't find "Active Directory Enrollment Policy" to select.

I don't know Whether I need to download any template or generate some custom policy and how?

I am using windows 8 and my user account is not under any active directory domain nor I administer any active directory.

I am not sure if it is the right forum to ask this question. Pardon me, and direct me to the right forum, if it is not.

mhsarosh
  • 308
  • 1
  • 7

1 Answers1

12

I ran into the same problem today and found the solution on MSDN. Try the following:

  1. Instead of selecting Active Directory Enrollment Policy select Proceed without enrollment policy.
  2. Click Next.
  3. Select (No template) CNG key from the Template list.
  4. Select PKCS #10 as the Request format.
  5. Click Next.
  6. Click the Details arrow and then the Properties button.
  7. Enter a name for your certificate in Friendly name box on the General tab.
  8. Click the Subject tab.
  9. Under Subject name, select Common name from the Type list. Enter a common name in the Value box and click the Add button.
  10. Repeat step 9 for Organizational unit, Locality, State and Country.
  11. Click the Extensions tab.
  12. Under Key usage select Digital signature and click the Add button.
  13. Under Extended key usage select Code signing and click the Add button.
  14. Under Basic constraints click the Enable this extension checkbox.
  15. Click the Private key tab.
  16. Under Key options select 2048 as the Key size.
  17. Click the Make private key exportable checkbox.
  18. Under Select hash algorithm select sha256 from the Hash Algorithm list.
  19. Click OK.

So far it appears to be working. I was able to use my new code signing certificate to export a PFX file and successfully sign an executable.

Note: I chose sha256 instead of sha1 in step 18 because SHA-1 is deprecated.

drewmerk
  • 332
  • 4
  • 10
Lee Grainger
  • 206
  • 4
  • 11
  • thanks @Lee your effort is highly appreciated and it is a great help. I was not sure whether proceeding without enrollment policy will generate a valid CSR, but if it has worked for you it should work for me too. I will submit the CSR once I get the required documentation completed and will mark it as answer. Did you submit CSR to GoDaddy or some other CA? – mhsarosh May 26 '16 at 06:24
  • You're very welcome. Having lost most of a day trying to figure this out, I felt a little better knowing that someone else might not have to pull their hair out to create a simple CSR. – Lee Grainger May 26 '16 at 10:14
  • I did submit the CSR to GoDaddy. I was trying to rekey an existing certificate. I am hoping to preserve the certificate's reputation. I assume that if I signed my software with a new certificate from another CA, the software would lose all accumulated reputation. – Lee Grainger May 26 '16 at 10:21
  • Many thanx Lee for the detailed description. It worked for me – user3267567 Aug 09 '17 at 06:35