Can't create a custom CSR using mmc and certificates snap-in on Windows 10

Hank Cohen 0 Reputation points
2023-08-06T15:41:11.24+00:00

I am trying to generate a custom CSR using the certificates snap-in for mmc on Windows 10. The certificate I want to create is a client authentication cert using ECC. However, I have run into a persistent issue that is preventing me from generating the CSR. No matter the content of the request if I use (No template) CNG key I get the error "One of more of the object's properties are missing or invalid", and the private key generation dialog is completely insensitive. So no CSR is generated.

On the other hand, if I choose (No template) Legacy Key. Then no problem but the Legacy providers don't do ECC and their protection for private keys is weaker.

I suspect that this is not a problem with the certificates snap-in but rather with the underlying certificate infrastructure for Active Directory. In researching the problem I found articles that seem to indicate that some changes were made to the certificate infrastructure of Windows Server. These links are not directly relevant to my issue but they may provide hints to someone more familiar with Windows than I. https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/cng-templates-not-appear-certificate-web-enrollment https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/ca-cant-use-certificate-template https://learn.microsoft.com/en-us/microsoft-identity-manager/certificate-manager-for-software-certificates

Here are some screenshots

dff2041c-9fa7-475e-95db-b3bcd3d705bf

dca52e44-0d5a-4dc6-a902-ab5352b144d1

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JimmySalian-2011 42,496 Reputation points
    2023-08-06T18:25:33.5733333+00:00

    Hi,

    Can you check event logs on the client and whn you try to create CSR you should be getting some errors in the logs that might show some info. Also did you tried with PowerShell? Try the script and via the admin powershell edit the github script. - https://github.com/chrisdee/Scripts/blob/master/PowerShell/Working/certificates/GenerateCertificateSigningRequest(CSR).ps1https://github.com/chrisdee/Scripts/blob/master/PowerShell/Working/certificates/GenerateCertificateSigningRequest(CSR).ps1

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.