Generating a CSR for a Windows 2008 R2 server and need to ensure that the private key used for the CSR is new.
I have used OpenSSL before to create my own self-signed certs for testing and if I remember correctly, I was able to specify a private key to use.
In IIS Server Certificates, I am never asked to generate nor pick a private key.
So, does generating a CSR on a Windows-based server always create a new private key for it? If not, how do I ensure a new private key is made/used?
Best Answer
Yes
The "Create Certificate Request" Wizard automatically generates a new key pair.
This is actually not true - the wizard is just not super obvious about it.
When you've entered the identity information (Common Name, Locality, Organization etc.) and hit "Next", the second screen asks for 2 things:
Choosing the default CSP - the Microsoft RSA SChannel CSP - and a Bit Length of 2048 would be the Windows equivalent to:
Anatomy of a Signing Request
The CSR itself can be thought of as having 3 "parts":
The Issuer reviews the information in the signing request, an may alter the contents of both (1) and (3).
The Issuer then uses it's CA private key to encrypt the requesters public key (2).
When the final Certificate is issued it contains:
Now, the next time a client get's your certificate presented, it can use the Issuer CA's public key to decrypt the signature blob (4) and compare it to the public key in the certificate