How to Create a Certificate Request in Windows Server 2008 R2 for Use with Threat Management Gateway 2010

For a recent project I needed to create a certificate request for use with a new listener on Threat Management Gateway 2010. I wanted some specific criteria on the cert, so I really needed to use the Certificates Snap-In in Windows to create the necessary .req file. I had a little difficulty to get this to work right at first, but it turns out there are just a couple of tricks to getting this to work right.

First, open the Certificates snap-in for the local computer and navigate down to the Personal – Certificates certificate store. Right-click on it and go to All Tasks – Advanced Operations – Create Custom Request.

Click Next on the first information screen that comes up, and then verify that Proceed Without Enrollment Policy is highlighted on the following screen. Now Click Next.

Now, by default, the Template combo box has “(No Template) CNG Key” selected, but this won’t work for Threat Management Gateway, as it does not support CNG keys. So you need to change this to “(NO Template) Legacy Key” and click Next (the default selection of PKCS #10 is fine).

On the next screen, you need to click the down arrow next to details, which will expose the Properties button.

Click Properties and fill out the form with the following.

General Tab
Friendly Name – The friendly name is however you want to refer to the certificate, I usually use the full URL so I know exactly why I got this particular certificate, but you can use whatever you want.

Subject Tab
At a minimum you should use the same fields I have listed in Subject Name.

Alternative names are optional, but if you have other URLs the certificate should be valid for you would list them here. You need to verify that the type of certificate you intend to purchase from your certificate authority supports alternative names.

Extensions Tab
There are five subsections under this tab; Key Usage, Extended Key Usage, Basic Constraints, Include Symmetric Algorithm and Custom Extension Definition.

Under Key Usage, you would normally select Digital Signature and Key Encipherment. Your application may vary, but this is a typically what you would use to publish a web site.

For Extended Key Usage, you’ll select Server Authentication and Client Authentication.

The final three you’ll leave as the defaults. Again, you may need them in some specific applications, but this is for publishing a web site or other web service.

Private Key
There are four subsections under this tab; Cryptographic Service Provider, Key Options, Key Type, and Key Permissions.

Under Cryptographic Service Provider, you can really select any one, but I typically use Microsoft RSA SChannel Cryptographic Provider (Encryption).

Under Key Options, you will probably want to change the key size to 2048, which is the new minimum for most SSLs…. Any larger and you may have to pay more for your SSL certificate.

Personally, I generally select the option “Make Private Key Exportable” as this allows me to freely back up and move the key to other servers in the array.

The options under Key Type and Key Permissions can be left as the default. Again, under specific circumstances or for specific applications, you may need to set those options, but this is just for a published web site, nothing more.

Hit Apply and then OK, and that should take you back to this screen:

Click next, select where you want the .req file stored, and you’re all done. After you have submitted the request to your Certificate Authority and recived your signed certificate back, you can import it using the Certificates snap-in for Windows. At that point it will be available for assignment to a Lister in Threat Management Gateway.


2 Responses to “How to Create a Certificate Request in Windows Server 2008 R2 for Use with Threat Management Gateway 2010”

  1. And remember to put the key type as “Exchange”


  1. How to Enable Opportunistic TLS on an Exchange 2010 Edge Transport Server « Light Bulb Moments - October 26, 2011

    […] How to Create a Certificate Request in Windows Server 2008 R2 for Use with Threat Management Gateway… […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s