Skip to main content

 

Cisco Meraki Documentation

How to Create an Offline Certificate Request in Windows Server

Overview

EAP-TLS, PEAP-MSCHAPv2, and LDAP/TLS require a digital certificate installed on your RADIUS server. The certificate provides authentication, encryption, and validation. 

This article explains how to create an offline certificate request on your Windows server to obtain a certificate from a commercial or standalone Certificate Authority (CA). After you create the request, submit it to a CA. Once the CA issues the certificate, you can import it on your server. 

Prerequisites

  • A Windows server running IAS or NPS (RADIUS Server). 

  • Administrator access to the Windows server. 

  • Access to the Microsoft Management Console (mmc.exe). 

  • A Certificate Authority (commercial or standalone) to process your certificate request. 

  • The Fully Qualified Domain Name (FQDN) of your RADIUS server host. Most commercial CAs require the host to have a public top-level domain such as .com or .net (for example, myserver.mydomain.com). 

Step-by-step instructions

Launch the certificate console

  1. Log in to your Windows server running IAS or NPS (RADIUS Server). 

  1. Launch the Microsoft Management Console (mmc.exe). 

  1. Select File > Add/Remove Snap-in.
    Adding snap-in in the Microsoft Management Console

  1. Choose Certificates from Available Snap-ins and click Add.
    Certificates option chosen in available snap-ins window

 

  1. Choose Computer account for snap-in management and click Next.
    Computer account chosen in snap-in management window

 

  1. Choose Local computer to use the snap-in on the current computer and click Finish.
    Local computer chosen in snap-in management window

  2. Back at the Add or Remove Snap-ins window, click OK.
    Approving snap-in selection window

Create an offline certificate request

Certificate enrollment wizard

  1. From the Certificate manager console, go to Certificates (Local Computer) > Personal > Certificates.  

  1. Right-click Certificates and go to All tasks > Advanced options, then select Create custom request

Creating certificate custom request

  1. The Certificate Enrollment Wizard opens. Review the Before You Begin section and click Next

Certificate enrollment wizard is starting

  1. Choose Proceed without enrollment policy unless a predefined certificate template needs to be used.

Selecting Certificate Enrollment Policy

  1. For Custom Request options, choose the No template and click Next.

Choosing template of certificate options

Certificate properties: General tab

  1. On Certificate Information, expand Details, then click the Properties button. 

Certificate information details

  1. When Certificate Properties opens to the General tab, fill out the Friendly name and Description values. These values are not required, but they help distinguish your certificate among other installed certificates. 

Choosing friendly name and description for the certificate

Certificate properties: Subject tab

  1. Select the Subject tab.  

  1. Add values to the Subject name and Alternative name attributes.  
    a. To add an attribute, select an attribute Type from the drop-down, enter the correct Value, and then click Add.
    b. Subject name:
        1. Common name (required): Fully Qualified Domain Name (FQDN) of your RADIUS server host. Most commercial CAs require the host to have a public top-level domain such as .com or .net (for example, myserver.mydomain.com).
        2. Organizational Unit (optional): Depends on your organization; this could be your department.
        3. Organization (optional): Your organization name.
        4. Locality (optional): Your city. Do not abbreviate.
        5.  State (optional): Your state. Do not abbreviate.
        6. Country (optional): Your country.
    c. Alternative name: 
        1. DNS (required): FQDN of your RADIUS server host. Most commercial CAs require the host to have a public top-level domain such as .com or .net (for example, myserver.mydomain.com). 

Adding subject name and alternative name values

Certificate properties: Extensions tab

  1. Select the Extensions tab, expand Key usage. 

  1. Select Digital signature and Key encipherment from Available options. 

  1. Click Add to place them in Selected options. The Make these key usages critical box is checked by default. 

Adding key usage options to define purpose of the certificate

  1. On the Extensions tab, expand Extended Key Usage (application policies). 

  1. Select Server Authentication and optionally Client Authentication from Available options. 

  1. Click Add to place them in Selected options

Adding extended key usage options

Certificate properties: Private Key tab

  1. Select the Private Key tab.  

  1. Expand Cryptographic Service Provider. For Select cryptographic service provider, make sure RSA, Microsoft Software Key Storage Provider is the only box checked.  

  1. Expand Key options and select 2048 in the Key size drop-down.

Choosing cryptographic service provider and key length

  1. On the Private Key tab, expand Select Hash Algorithm.  

  1. For the Hash Algorithm drop-down, select sha1, which is the only hashing algorithm compatible with dynamic keying, and then click OK

Choosing hashing algorithm

Save certificate request

  1. On the Where do you want to save the offline request? page, give your certificate request file a name and save it to a location on your computer. 

  1. In the example below, the certificate request file is named certreq711 and is saved at the root of C:. Make sure the File format is set to Base 64, and then click Finish

Saving certificate request

Submit the certificate request to a CA

  1. After creating your certificate request, submit it to a Certificate Authority so they can process the request and issue a certificate.  

  1. The certificate request is a text file. Copy the text from the file and enter it into an online submission form on the CA website.  

  1. Contact your Certificate Authority directly for instructions on the process for submitting your certificate request. 

  1. Once CA processes the request and issues the certificate, download it to server so it can be imported.  

  1. Go to Microsoft documentation for instructions on how to import the certificate. 

  • Was this article helpful?