Creating a certificate request

The standard option for running a certificate request in Windows will invoke a private key based on the CNG ('Cryptography API: Next Generation') storage provider, which is not compatible with IPS Server. The following steps show how to invoke the legacy key provider 'Microsoft RSA SChannel Cryptographic Provider'.

  1. Open the Local Computer Certificates Manager, and run Create Custom Request:

    2. Screenshot-SecureHTTTP-Certificate-request-01

  2. Select the option 'Proceed without enrollment policy':

    3. Screenshot-SecureHTTTP-Certificate-request-02

  3. Select the 'Legacy Key' option:

    4. Screenshot-SecureHTTTP-Certificate-request-03

  4. For 'Certificate Information' do not accept the stored options, click Details to set the options:

    5. Screenshot-SecureHTTTP-Certificate-request-04

  5. Certificate Properties - General tab. Enter Friendly Name (e.g., use the IPS service address) and Description:

    6. Screenshot-SecureHTTTP-Certificate-request-05

  6. Certificate Properties - Subject tab. The Common Name is set to the IPS service address. In Subject Alternative Names, the first must be the service address, then add all of the addresses for the server machines in the IPS cluster:

    7. Screenshot-SecureHTTTP-Certificate-request-06

  7. Certificate Properties - Extensions tab:

    8. Screenshot-SecureHTTTP-Certificate-request-07

  8. Certificate Properties - Private Key tab. Select the option 'Microsoft RSA SChannel Cryptographic Provider'. The recommended Key Size is 2048 (larger values will impact server performance). Select the option 'Make Private Key Exportable' if you want to generate a PFX certificate that contains the private key (this makes it easier to install the certificate in each of the cluster machines):

    9. Screenshot-SecureHTTTP-Certificate-request-08

  9. Close the Certificate Properties dialog, and click Next to save the certificate request in a file.