How to Create an Offline Certificate Request in Windows Server
Overview
EAP-TLS, PEAP-MSCHAPv2, and LDAP/TLS require a digital certificate installed on your RADIUS server. The certificate provides authentication, encryption, and validation.
This article explains how to create an offline certificate request on your Windows server to obtain a certificate from a commercial or standalone Certificate Authority (CA). After you create the request, submit it to a CA. Once the CA issues the certificate, you can import it on your server.
Prerequisites
-
A Windows server running IAS or NPS (RADIUS Server).
-
Administrator access to the Windows server.
-
Access to the Microsoft Management Console (mmc.exe).
-
A Certificate Authority (commercial or standalone) to process your certificate request.
-
The Fully Qualified Domain Name (FQDN) of your RADIUS server host. Most commercial CAs require the host to have a public top-level domain such as .com or .net (for example, myserver.mydomain.com).
Step-by-step instructions
Launch the certificate console
-
Log in to your Windows server running IAS or NPS (RADIUS Server).
-
Launch the Microsoft Management Console (mmc.exe).
-
Select File > Add/Remove Snap-in.

-
Choose Certificates from Available Snap-ins and click Add.

-
Choose Computer account for snap-in management and click Next.

-
Choose Local computer to use the snap-in on the current computer and click Finish.

-
Back at the Add or Remove Snap-ins window, click OK.

Create an offline certificate request
Certificate enrollment wizard
-
From the Certificate manager console, go to Certificates (Local Computer) > Personal > Certificates.
-
Right-click Certificates and go to All tasks > Advanced options, then select Create custom request.

-
The Certificate Enrollment Wizard opens. Review the Before You Begin section and click Next.

-
Choose Proceed without enrollment policy unless a predefined certificate template needs to be used.

-
For Custom Request options, choose the No template and click Next.

Certificate properties: General tab
-
On Certificate Information, expand Details, then click the Properties button.

-
When Certificate Properties opens to the General tab, fill out the Friendly name and Description values. These values are not required, but they help distinguish your certificate among other installed certificates.

Certificate properties: Subject tab
-
Select the Subject tab.
-
Add values to the Subject name and Alternative name attributes.
a. To add an attribute, select an attribute Type from the drop-down, enter the correct Value, and then click Add.
b. Subject name:
1. Common name (required): Fully Qualified Domain Name (FQDN) of your RADIUS server host. Most commercial CAs require the host to have a public top-level domain such as .com or .net (for example, myserver.mydomain.com).
2. Organizational Unit (optional): Depends on your organization; this could be your department.
3. Organization (optional): Your organization name.
4. Locality (optional): Your city. Do not abbreviate.
5. State (optional): Your state. Do not abbreviate.
6. Country (optional): Your country.
c. Alternative name:
1. DNS (required): FQDN of your RADIUS server host. Most commercial CAs require the host to have a public top-level domain such as .com or .net (for example, myserver.mydomain.com).

Certificate properties: Extensions tab
-
Select the Extensions tab, expand Key usage.
-
Select Digital signature and Key encipherment from Available options.
-
Click Add to place them in Selected options. The Make these key usages critical box is checked by default.

-
On the Extensions tab, expand Extended Key Usage (application policies).
-
Select Server Authentication and optionally Client Authentication from Available options.
-
Click Add to place them in Selected options.

Certificate properties: Private Key tab
-
Select the Private Key tab.
-
Expand Cryptographic Service Provider. For Select cryptographic service provider, make sure RSA, Microsoft Software Key Storage Provider is the only box checked.
-
Expand Key options and select 2048 in the Key size drop-down.

-
On the Private Key tab, expand Select Hash Algorithm.
-
For the Hash Algorithm drop-down, select sha1, which is the only hashing algorithm compatible with dynamic keying, and then click OK.

Save certificate request
-
On the Where do you want to save the offline request? page, give your certificate request file a name and save it to a location on your computer.
-
In the example below, the certificate request file is named certreq711 and is saved at the root of C:. Make sure the File format is set to Base 64, and then click Finish.

Submit the certificate request to a CA
-
After creating your certificate request, submit it to a Certificate Authority so they can process the request and issue a certificate.
-
The certificate request is a text file. Copy the text from the file and enter it into an online submission form on the CA website.
-
Contact your Certificate Authority directly for instructions on the process for submitting your certificate request.
-
Once CA processes the request and issues the certificate, download it to server so it can be imported.
-
Go to Microsoft documentation for instructions on how to import the certificate.

