Creating custom certificate requests for Security Center - Security Center 5.9

Security Center Administrator Guide 5.9

Applies to
Security Center 5.9
Last updated
Content type
Guides > Administrator guides
Security Center

Custom certificate requests must be created with specific parameters in order to work with Security Center. All certificate requests must be made from the server where certificate is going to be applied.

What you should know

Creating custom certificate requests should be your last resort. There are many simpler alternatives for requesting a certificate for your server. For example, you could enroll a certificate from a certificate template of your company's Active Directory domain. For more information, see Request Certificates by Using the Certificate Request Wizard on the Microsoft Technet Library.


  1. On your main server, start Microsoft Management Console (mmc.exe) and add the Certificates snap-in.
    1. In the Console window, click File > Add/Remove Snap-in.
    2. In the Add or Remove Snap-ins dialog box that appears, click Certificates, then click Add >.
    3. In the Certificates snap-in dialog box, click Computer account > Next > Finish > OK.
  2. In the Console window, expand Certificates.
  3. Under Certificates (Local Computer), right-click Personal, and then click All Tasks > Advanced Operations > Create Custom Request.
  4. In the Certificate Enrollment dialog box, click Next > Proceed without enrollment policy > Next.
  5. In the Custom request page, select the options as shown below.
    IMPORTANT: For Template, select Legacy key. The default choice, CNG key, is not supported by .NET Framework 4.5, which is what Security Center uses.
  6. Click Next
  7. In the Certificate Information page, expand Details, and click Properties.
  8. In the Certificate Properties dialog box, click the Subject tab, and enter the value of Common name under the Subject name.
    IMPORTANT: The Common name must match the fully qualified domain name of the server. For example, if the hostname of your server is server1, and your domain is, then the fully qualified domain name for your server would be

  9. Click the Extensions tab, and set the following properties.
    Key Usage
    Add Digital signature and Key agreement.
    Extended Key Usage
    Add Server Authentication and Client Authentication.
  10. Click the Private Key tab, and set the following properties.
    Key Type
    Select Exchange. This must be set up first.
    Cryptographic Service Provider
    Select only Microsoft RSA SChannel Cryptographic Provider (Encryption). It is the last option in the list.
    Key Options
    The Key size should be at least 2048.
  11. Click Apply > OK > Next.
  12. Enter the File Name and click Finish.

After you finish

Send the request (.csr) to your IT department or the external certificate authority (CA) for processing. Once the certificate has been generated, import and apply it to your server.